79abbd6f55d763c6c0af8885cc573dcfaf36059822dc6f2db005242578e0909b

Analysis

max time kernel
131s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dominator/dominator.exe
Size

13.1MB
MD5

9f835ae0a98370c3f4677c9e6623a1c9
SHA1

49af270fb5d0322d96be88d90be2ede10e8663c9
SHA256

4cd55194a056eef2d3caa6dd414bc163138236c8be3bce26b6681622a1a7ef75
SHA512

5bf8d25c630467321dbaa1f946cfae37c9d2474eb03d7a275c84c9d075e6cb46fe2078e4fe1329ad78b1ef181c232483024919bd88a0a50c6023edcf23c72679
SSDEEP

196608:g3Dnr4gyh+fwPCbGvD73I9dVCxuGQDwI4jY1keiWJyFG+Wg5P0NbATCj/p0LG+A:g3z0IIPC6vHMVgSz4k1ke3e8liCrUG

Score

8^/10

evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	dominator.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	ldr_fONJrZ3j.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	dominator.exe

Executes dropped EXE 1 IoCs

pid	Process
4376	ldr_fONJrZ3j.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ldr_fONJrZ3j.exe
File opened (read-only)	\??\VBoxMiniRdrDN	dominator.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1488	dominator.exe
1488	dominator.exe
4376	ldr_fONJrZ3j.exe
4376	ldr_fONJrZ3j.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4376	1488	dominator.exe	102
PID 1488 wrote to memory of 4376	1488	dominator.exe	102
PID 1488 wrote to memory of 4688	1488	dominator.exe	104
PID 1488 wrote to memory of 4688	1488	dominator.exe	104

C:\Users\Admin\AppData\Local\Temp\Dominator\dominator.exe
"C:\Users\Admin\AppData\Local\Temp\Dominator\dominator.exe"
1⤵
- Looks for VMWare Tools registry key
- Checks computer location settings
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\Dominator\ldr_fONJrZ3j.exe
  "ldr_fONJrZ3j.exe" "C:\Users\Admin\AppData\Local\Temp\Dominator\dominator.exe"
  2⤵
  - Looks for VMWare Tools registry key
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\Dominator\dominator.exe >> NUL
  2⤵
  PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dominator\ldr_fONJrZ3j.exe

Filesize
8.6MB

MD5
5f9df5b66848fedd28da7b499328a975

SHA1
cd70bb4041f8b0c89b3811a5aa6af9ad0002ce3c

SHA256
8882cced47f7195ed364ac2d220f1f3e5b46f03c348706bde8ade17b287c4208

SHA512
13c9044b20130ba54ed6a8cc28aee0188137ab700530e8d4fc39093e6469e269da6691f25b7b0b79b8bf2d6debbba4f1a331a6672090f0a57a98d5799459ea2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dominator\ldr_fONJrZ3j.exe

Filesize
8.1MB

MD5
03f7ce8c5334711e4cbad95eda36c9c1

SHA1
c42ad23c053681399fb34e72919df9be8210a9ac

SHA256
c71e5f28c724527ed7c76bfa03b3a47526235b90375b1e12dce6ec03c13bcfff

SHA512
04e7f54b7260c9754c722374584109fbbe66b4441b7f35c0f8c37a949981ef24dc2de914ca2ae788e87b5917f72889f17bbf588a7154de6efeca0a2d24d954a1

Download Submit
memory/1488-0-0x00007FF8781F0000-0x00007FF8781F2000-memory.dmp

Filesize
8KB

Download
memory/1488-1-0x00007FF70CB00000-0x00007FF70E138000-memory.dmp

Filesize
22.2MB

Download
memory/1488-2-0x00007FF70CB00000-0x00007FF70E138000-memory.dmp

Filesize
22.2MB

Download
memory/1488-10-0x00007FF70CB00000-0x00007FF70E138000-memory.dmp

Filesize
22.2MB

Download
memory/4376-11-0x00007FF8781F0000-0x00007FF8781F2000-memory.dmp

Filesize
8KB

Download
memory/4376-13-0x00007FF672DE0000-0x00007FF67444A000-memory.dmp

Filesize
22.4MB

Download
memory/4376-12-0x00007FF672DE0000-0x00007FF67444A000-memory.dmp

Filesize
22.4MB

Download
memory/4376-17-0x00007FF672DE0000-0x00007FF67444A000-memory.dmp

Filesize
22.4MB

Download