46ca281ddc8e04706b6173b232f5921948fbefcd943e3285ba0453b4215a209d

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7a55e33d98ae3e52b3f7b69cc2f40f5.exe
Size

141KB
MD5

c7a55e33d98ae3e52b3f7b69cc2f40f5
SHA1

c86adbd9870fde9e573847783e10b59fd7e39b98
SHA256

46ca281ddc8e04706b6173b232f5921948fbefcd943e3285ba0453b4215a209d
SHA512

8c27160e6debde830166bdf0f186f5c4c5e156f9b0f9970dd264acd0e5c6822d8d1dce45a94f373a5bd6ab6e7de7b449957410a8ebc69ef24f0039663bb64a4e
SSDEEP

1536:yPtYah8awcJPxL/sGkp7erPQVVkF0Oq+AcRe7PA7n02rd9cqCmh6DY5atOXPQpZI:yOaWaR/sGkpCje7PA7n0SJVobcwhHU

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2776	Rundll32.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 9 IoCs

pid	Process
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
2776	Rundll32.exe
2776	Rundll32.exe
2776	Rundll32.exe
2776	Rundll32.exe
2776	Rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Rundll32.exe
File opened (read-only)	\??\F:	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftgdtbtb.dll	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe
File created	C:\Windows\SysWOW64\tgaaactb.dll	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AAV\CDriver.sys	Rundll32.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3020	sc.exe
2156	sc.exe
2544	sc.exe
2584	sc.exe
2692	sc.exe
1476	sc.exe
3016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe
1932	Rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1988 wrote to memory of 1932	1988	c7a55e33d98ae3e52b3f7b69cc2f40f5.exe	28
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 3016	1932	Rundll32.exe	33
PID 1932 wrote to memory of 3016	1932	Rundll32.exe	33
PID 1932 wrote to memory of 3016	1932	Rundll32.exe	33
PID 1932 wrote to memory of 3016	1932	Rundll32.exe	33
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1268 wrote to memory of 2580	1268	net.exe	39
PID 1268 wrote to memory of 2580	1268	net.exe	39
PID 1268 wrote to memory of 2580	1268	net.exe	39
PID 1268 wrote to memory of 2580	1268	net.exe	39
PID 1932 wrote to memory of 2584	1932	Rundll32.exe	40
PID 1932 wrote to memory of 2584	1932	Rundll32.exe	40
PID 1932 wrote to memory of 2584	1932	Rundll32.exe	40
PID 1932 wrote to memory of 2584	1932	Rundll32.exe	40
PID 1932 wrote to memory of 2692	1932	Rundll32.exe	44
PID 1932 wrote to memory of 2692	1932	Rundll32.exe	44
PID 1932 wrote to memory of 2692	1932	Rundll32.exe	44
PID 1932 wrote to memory of 2692	1932	Rundll32.exe	44
PID 1388 wrote to memory of 2644	1388	net.exe	43
PID 1388 wrote to memory of 2644	1388	net.exe	43
PID 1388 wrote to memory of 2644	1388	net.exe	43
PID 1388 wrote to memory of 2644	1388	net.exe	43
PID 1932 wrote to memory of 1988	1932	Rundll32.exe	27
PID 1932 wrote to memory of 1988	1932	Rundll32.exe	27
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1268	1932	Rundll32.exe	29
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 1388	1932	Rundll32.exe	30
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 3020	1932	Rundll32.exe	34
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2156	1932	Rundll32.exe	37
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1932 wrote to memory of 2544	1932	Rundll32.exe	38
PID 1932 wrote to memory of 2580	1932	Rundll32.exe	39
PID 1932 wrote to memory of 1476	1932	Rundll32.exe	47
PID 1932 wrote to memory of 1476	1932	Rundll32.exe	47
PID 1932 wrote to memory of 1476	1932	Rundll32.exe	47
PID 1932 wrote to memory of 1476	1932	Rundll32.exe	47

C:\Users\Admin\AppData\Local\Temp\c7a55e33d98ae3e52b3f7b69cc2f40f5.exe
"C:\Users\Admin\AppData\Local\Temp\c7a55e33d98ae3e52b3f7b69cc2f40f5.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\ftgdtbtb.dll Exbcute
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\SysWOW64\sc.exe
    sc config MpsSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3020
- - C:\Windows\SysWOW64\sc.exe
    sc stop ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:2156
- - C:\Windows\SysWOW64\sc.exe
    sc delete ZhuDongFangYu
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\SysWOW64\sc.exe
    sc stop 360rp
    3⤵
    - Launches sc.exe
    PID:2584
- - C:\Windows\SysWOW64\sc.exe
    sc delete 360rp
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop PolicyAgent
    3⤵
    - Launches sc.exe
    PID:1476
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32 C:\Windows\system32\tgaaactb.dll Exbcute
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ftgdtbtb.dll

Filesize
76KB

MD5
daa33ef6d3c95bbfa74d11219688929e

SHA1
0edea7ee52d36aad386d3ef59ebf6ce1b458794c

SHA256
a37c51c9d328a4b55218cdb7ba00c62ad3401b36074784fda0ae220a2083449c

SHA512
5762bba8df17614568580e29b5c3d684a886e2d6e369c2614da2d00dd8096920c0656c4ae65a22ad822a4a34f9d5b928474b4ab8670d952a92f68803fb13fedb

Download Submit
C:\Windows\SysWOW64\tgaaactb.dll

Filesize
22KB

MD5
2429ee006793ad04a2cffa0290f8dee2

SHA1
69d064561db2473c9ee2b19304386bfb7b3d087f

SHA256
7b4f8bc7d667cadf40091284896503e2ccd2147733e3bfd99ded7218fe98d095

SHA512
6a06cf093cb35ac26a1ac487826af30fdaf967a12e9468a664069af4349afb8285195c950eee02348515dfc5f0fb98057f9e6eccb732ccba3681ea832d59cd01

Download Submit
\Users\Admin\AppData\Local\Temp\BE02.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
memory/1988-7-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download