Overview

overview

8

Static

static

3

MainDab.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    22s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MainDab.exe

  • Size

    3.4MB

  • MD5

    61c8fbae47137392a395793c6389a7c3

  • SHA1

    a5830825fdf83ebc0c3c71efa08f930ef28c1bac

  • SHA256

    4e5eecfa5d74032e0e84be4735741c3c1487419de546904b1812bbbcdbe40d3d

  • SHA512

    62205d56d2b8672663a903273f1e11af1e4d8c53a8511247d23d7669de7724a7a5e1d12a182f48e829608ed333f395f185a82758e1ddafb5b9a695b86a7c13e1

  • SSDEEP

    49152:TbOtb7mvXnLg3yLA4rWpDoRvbLuzs2J3Y2pDSmalRS88cnR5MtAxToDF0BtSLR:WlsXnLmyLA1QvYs2Jo2oLAWoB0BK

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MainDab.exe
    "C:\Users\Admin\AppData\Local\Temp\MainDab.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\AppData\Local\Temp\krnl.dll'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -c Invoke-WebRequest -Uri 'https://k-storage.com/bootstrapper/files/krnl.dll' -OutFile 'C:\Users\Admin\AppData\Local\Temp\krnl.dll'
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
  • C:\Windows\SysWOW64\werfault.exe
    werfault.exe /h /shared Global\4b89c369de7d4f81b79fda80f664f86f /t 4176 /p 3040
    1⤵
      PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qkcrip1.rxd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3040-18-0x000000000C430000-0x000000000C44E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3040-1-0x0000000000EC0000-0x0000000001236000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3040-3-0x0000000005C50000-0x0000000005C58000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3040-4-0x0000000005D90000-0x0000000005E2E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/3040-5-0x0000000075120000-0x00000000758D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-6-0x0000000075120000-0x00000000758D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-7-0x0000000075120000-0x00000000758D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-9-0x0000000007AC0000-0x0000000007B6A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/3040-10-0x0000000007BE0000-0x0000000007C02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3040-11-0x0000000006E30000-0x0000000006E38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3040-12-0x0000000006E80000-0x0000000006EB8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3040-13-0x0000000006E50000-0x0000000006E5E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3040-48-0x0000000075120000-0x00000000758D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-17-0x000000000C470000-0x000000000C4E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3040-47-0x000000007512E000-0x000000007512F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-0-0x000000007512E000-0x000000007512F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-40-0x000000000F760000-0x000000000F7B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3040-2-0x0000000075120000-0x00000000758D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-19-0x000000000C7C0000-0x000000000C7DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4360-29-0x0000000005570000-0x00000000055D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4360-39-0x00000000055E0000-0x0000000005934000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4360-24-0x0000000004DD0000-0x00000000053F8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4360-41-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4360-42-0x0000000005C00000-0x0000000005C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4360-43-0x0000000007250000-0x00000000078CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4360-23-0x0000000002610000-0x0000000002646000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4360-28-0x0000000005400000-0x0000000005466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4360-44-0x00000000060E0000-0x00000000060FA000-memory.dmp

      Filesize

      104KB

      Download