Overview

overview

10

Static

static

3

New/3mm.exe

windows11-21h2-x64

10

New/6mm.exe

windows11-21h2-x64

10

New/dgbw.exe

windows11-21h2-x64

7

New/dggw.exe

windows11-21h2-x64

8

New/vm-uw.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/06/2024, 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New/dggw.exe

  • Size

    570KB

  • MD5

    bb5e489728d77d8d98792ef21634f6a6

  • SHA1

    96e5834b313a41173f156d3a09bb1a4b3595233a

  • SHA256

    cfcdfdff42246ab34c0f8a8ca746dc47ddb3cb757a23dd0a4c1fda5cdbc67cd8

  • SHA512

    6888b567193ff358ea9f3add80bae4c0bbc981e6f91294ac0a8277718fc7d52f94d45d288498c3d42a554d24b935f9e614733bf9adb011ff9a307315e67d2411

  • SSDEEP

    12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//b:Ld9Mrf7iaNVxowtTW0

Score
8/10
evasionexecution

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 15 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New\dggw.exe
    "C:\Users\Admin\AppData\Local\Temp\New\dggw.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systcm32\d.bat" "
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Windows\SysWOW64\sc.exe
        sc stop SysMaln
        3⤵
        • Launches sc.exe
        PID:4008
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powershell.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2732
      • C:\Windows\Fonts\systcm32\csrss.exe
        C:\Windows\Fonts\systcm32\csrss.exe SysMaln C:\Windows\Fonts\systcm32\svchost.exe
        3⤵
        • Executes dropped EXE
        PID:1868
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3456
      • C:\Windows\SysWOW64\reg.exe
        reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMaln /v Description /d "Maintains and improves system performance over time" /t reg_sz /f
        3⤵
          PID:1248
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMaln /v DisplayName /d "SysMaln" /t reg_sz /f
          3⤵
            PID:2052
          • C:\Windows\SysWOW64\reg.exe
            reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMaln\Parameters
            3⤵
              PID:2788
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMaln\Parameters /v AppDirectory /d "C:\Windows\Fonts\systcm32" /t reg_sz /f
              3⤵
                PID:688
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMaln\Parameters /v Application /d ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Windows\Fonts\systcm32\p.ps1"" /t reg_sz /f
                3⤵
                  PID:796
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:3544
                • C:\Windows\SysWOW64\sc.exe
                  sc start SysMaln
                  3⤵
                  • Launches sc.exe
                  PID:1884
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:1952
                • C:\Windows\SysWOW64\regini.exe
                  regini 1.ini
                  3⤵
                    PID:1480
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~5C39.tmp.bat"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4792
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 2
                    3⤵
                    • Runs ping.exe
                    PID:4544
              • C:\Windows\Fonts\systcm32\svchost.exe
                C:\Windows\Fonts\systcm32\svchost.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4988
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Fonts\systcm32\p.ps1
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1036

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\HZ~5C39.tmp.bat
                Filesize

                154B

                MD5

                b353ff955637f6a2f47800c7bd0b3da0

                SHA1

                f5fd013641537430e8cf404db183c74990f7e30e

                SHA256

                a6c8dc3a38b01a8cd1d17a3d5c8217313a119134b0a7b0d328c94f0fbcdb2dec

                SHA512

                658942145716de5a5602ea638970f5d877a964ceb4a2c3c06fda1787cc30fa14fcce2de72d1aef09b9feb0468b7f681d35f231be61d24b7b208eef5e646828a4

                Download Submit

              • C:\Windows\Fonts\systcm32\1.ini
                Filesize

                68B

                MD5

                c6c1441a5fb7e09711fb910bae0e082e

                SHA1

                7244e7c14447651b5dfdd694b5b9e0c7f202a6bb

                SHA256

                6b012598ae7d5e1704001d0cbf3d88605a38cb440f600fee58f685ab8de6803d

                SHA512

                31ab5c57a093c6b03f1be76bd2cae21653c637d5920820a20624442ad2bdd7bfc4e2edd25189cb58ba09a6b2d1327ab310769f3d8dc9c1d9dde063927298c982

                Download Submit

              • C:\Windows\Fonts\systcm32\csrss.exe
                Filesize

                18KB

                MD5

                c43d1b84143fb2561f22e1a2c8facf53

                SHA1

                3f1357007f61f02f97f0aaabb8756c6eca2acebd

                SHA256

                bbf4c224f9861b2c1f5a1364ee71e38728495b2709621763053b979ba88522f1

                SHA512

                27a25ab6045498e0b7131be58556c685dfa01596675c3af689e61d8329e1a0eff4128c57e202c32c69271b84f57e7425c45fb5fa132ec0f5b352f86323ffa13e

                Download Submit

              • C:\Windows\Fonts\systcm32\d.bat
                Filesize

                1KB

                MD5

                075ee74a95aea12d8e7b09559d14ec53

                SHA1

                ad806938aac7954c1bc0b94d031560b9101d3ba7

                SHA256

                acb3afbecef952522194d0559e5c8591a7cc431d74e6b4c62d326b6b91b3b6b4

                SHA512

                0d6aed8bfc70b3903c6072576741b2e5517baf41c460b1389ff9d05ab4e5d31895cfd271497f9ba490f4127fc2fe9bb6c0b8538539119d31ca8541493ce86ce2

                Download Submit

              • C:\Windows\Fonts\systcm32\p.ps1
                Filesize

                17KB

                MD5

                d300b7fea85fd5d113533d4503a35e66

                SHA1

                17d26fc4159841f727c9e8f4de46f67ff46fdda1

                SHA256

                13aba0939793c189c2f40dd30a4da5d0b36b18c4545edd735a6d9e3d275b8d41

                SHA512

                995e473c9e7f2d5fe540902a627fb5da6176019697604d8c1458b685b7d080502e3575605e93d8a8dcf0ec26683bb8b31421a53f38aa3438962fd1edb20453a2

                Download Submit

              • C:\Windows\Fonts\systcm32\svchost.exe
                Filesize

                8KB

                MD5

                4635935fc972c582632bf45c26bfcb0e

                SHA1

                7c5329229042535fe56e74f1f246c6da8cea3be8

                SHA256

                abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

                SHA512

                167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

                Download Submit

              • C:\Windows\Temp\__PSScriptPolicyTest_00yqmglx.iv5.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • memory/1036-28-0x0000000004350000-0x00000000043B6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1036-27-0x0000000003A40000-0x0000000003A62000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1036-29-0x00000000043C0000-0x0000000004426000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1036-26-0x0000000003C20000-0x000000000424A000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/1036-38-0x00000000044C0000-0x0000000004817000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1036-39-0x00000000048D0000-0x00000000048EE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1036-40-0x0000000004910000-0x000000000495C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1036-25-0x0000000001100000-0x0000000001136000-memory.dmp

                Filesize

                216KB

                Download

              • memory/1868-22-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download