Overview

overview

8

Static

static

3

6ffd84bf5d...a2.exe

windows7-x64

8

6ffd84bf5d...a2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2024, 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ffd84bf5de61e4df202e6838c5f46a2.exe

  • Size

    172KB

  • MD5

    6ffd84bf5de61e4df202e6838c5f46a2

  • SHA1

    968d2c8652e09530ec4dc8abda75c030f8f637dd

  • SHA256

    5e1a09edc5e2b9e239cd5328ca9c2b0071a74e97394797aa3029652c8ec8ef64

  • SHA512

    e8be04154252c44a84d985dea3f71554e4aa68fc9951eff3595d8e668c3ba5cac962d85153d3b364037e4810da2a69474155e44052c91f3483f6b888162cb46f

  • SSDEEP

    1536:EY04hGCNdxuD/pr3ZKTKdjPgaLxtsiBAtbu2PJ8lrhcUUq2Mzbv0BKo/tgS:DGO45pKw4yX2P+lrmUUq2wbuZtf

Score
8/10
evasionpersistencetrojan

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs net.exe
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ffd84bf5de61e4df202e6838c5f46a2.exe
    "C:\Users\Admin\AppData\Local\Temp\6ffd84bf5de61e4df202e6838c5f46a2.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "Security Center"
        3⤵
          PID:4796
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= DISABLED
        2⤵
        • Launches sc.exe
        PID:568
      • C:\Windows\SysWOW64\net.exe
        net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
          3⤵
            PID:3964
        • C:\Windows\SysWOW64\sc.exe
          sc config SharedAccess start= DISABLED
          2⤵
          • Launches sc.exe
          PID:3720
        • C:\Users\Admin\AppData\Roaming\xx9r.exe
          C:\Users\Admin\AppData\Roaming\xx9r.exe
          2⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Users\Admin\AppData\Roaming\xx9r.exe
            C:\Users\Admin\AppData\Roaming\xx9r.exe -d77649C76A06731EED9283E19A3E7A9AC29BC5E2E5331AA632E427A0CC2145139A0DC362B98E4F6A882F65CF3043A557DB17221C9F952F0ACBE87AAD696E9AFDDF9B0CE61E5EDCA26CE8F1E59C932E8E25562226E328388882496E68E9367A1276730B5A79688853533F525720ECD0B5E18A553602D76EDDAF6D4703EF7896FD811077DD4F6B442856756520130F4A72B40ADE5E556ACD7E80893C9963EDFA3455A3FF58893E758425D0AC79DCB54E544533848FB5A7F40F46F62B23D261E05DEE79830223A7660874B3BE47EBE2E2E6B15AB2E6B276A5FD081622CBCAB6D9F489F237D71F84A3584A6A74BDA25EF2B688BBE88A1E99AAF1BD26277FF0BF0B9D2A44A6FC51991EE5A23C4DBE75D14C402FA5A86BF0D22E873380F165EC26FDCE65E12D5222B60E5D8B688B8C7031D24C8E731992340C20331C7F4C8BF8EF7D2AF7030C27BFB27B219964C4063F43AB36F1734741670B13911D4368F286B64A420C04386C196C430E836DF16724D4C198A905D0556C9430361F5BFACF0973B9A787232B26E482376804D101A9E6A9641FB96B580B2B8971B6CFE379FC28E903D2FEC7F
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1804
        • C:\Windows\SysWOW64\Rundll32.exe
          Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
          2⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\runonce.exe
            "C:\Windows\system32\runonce.exe" -r
            3⤵
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\grpconv.exe
              "C:\Windows\System32\grpconv.exe" -o
              4⤵
                PID:2380
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\yq4xr18ww.bat
            2⤵
              PID:1848

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\mdinstall.inf
            Filesize

            410B

            MD5

            3ccb3b743b0d79505a75476800c90737

            SHA1

            b5670f123572972883655ef91c69ecc2be987a63

            SHA256

            5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

            SHA512

            09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\xx9r.exe
            Filesize

            172KB

            MD5

            6ffd84bf5de61e4df202e6838c5f46a2

            SHA1

            968d2c8652e09530ec4dc8abda75c030f8f637dd

            SHA256

            5e1a09edc5e2b9e239cd5328ca9c2b0071a74e97394797aa3029652c8ec8ef64

            SHA512

            e8be04154252c44a84d985dea3f71554e4aa68fc9951eff3595d8e668c3ba5cac962d85153d3b364037e4810da2a69474155e44052c91f3483f6b888162cb46f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\yq4xr18ww.bat
            Filesize

            190B

            MD5

            59cb8c4c91aede30725feedad56b3db4

            SHA1

            d3fb39099dcf4577920afb672410d2ba5200b328

            SHA256

            11b602bab92e516b045d9641cdc08aa95fa9af686019fe4064c1b2b444fd9987

            SHA512

            f4266012f7a37d244b61cbb292069dc917cc770bff82b1e8ba641d12750f16923a429062b7f5e3652292adee146d0742cfdadfe48c89c69f0b788fb2c471aee8

            Download Submit