Overview

overview

9

Static

static

3

c912bf3bd2...9N.exe

windows7-x64

c912bf3bd2...9N.exe

windows10-2004-x64

Analysis

  • max time kernel
    3s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 06:14

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    c912bf3bd256028d28d1b13e405ebd412c5ee7e6f8306e910fbef3c6bfcc43c9N.exe

  • Size

    177KB

  • MD5

    f40a4a6faffea79774bdf8b9ade60c60

  • SHA1

    ab74bb77dd0e123796930f2bef2d24d7e4c4cb04

  • SHA256

    c912bf3bd256028d28d1b13e405ebd412c5ee7e6f8306e910fbef3c6bfcc43c9

  • SHA512

    3d5d9560d8471d1f4465d25bd79c47201edce3641ee89809fea2fc9bc451f9ff2eb167bc39ec8b1322b1a381a7087ab95b31344b5e38b5a4c951b5dfe788c441

  • SSDEEP

    3072:reMex5XhZInU/oCn+mFuGY0fsZwc1+f8V08IatORiGGYetUM5bZOdZW:rexxlInlE1zY0UZ51+UV08IrEhtrbZOW

Score
9/10
defense_evasiondiscoveryevasionpersistenceransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Drops file in Drivers directory 1 IoCs
  • Enables test signing to bypass driver trust controls 1 TTPs 10 IoCs

    Allows any signed driver to load without validation against a trusted certificate authority.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c912bf3bd256028d28d1b13e405ebd412c5ee7e6f8306e910fbef3c6bfcc43c9N.exe
    "C:\Users\Admin\AppData\Local\Temp\c912bf3bd256028d28d1b13e405ebd412c5ee7e6f8306e910fbef3c6bfcc43c9N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Users\Admin\AppData\Roaming\KB00138886.exe
      "C:\Users\Admin\AppData\Roaming\KB00138886.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:744
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:1272
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:3176
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:1884
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:1440
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:1880
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:4772
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:4724
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:3836
      • C:\Windows\SYSTEM32\bcdedit.exe
        bcdedit.exe -set TESTSIGNING ON
        3⤵
        • Modifies boot configuration data using bcdedit
        • Enables test signing to bypass driver trust controls
        PID:3904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS6050.tmp.BAT"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1240
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3993855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\POS6050.tmp.BAT
          Filesize

          324B

          MD5

          01fb17a325ccf6ff303386de75668817

          SHA1

          ccb8d98b490645ecf212db631727d202dcafc48a

          SHA256

          b4f35f748e54e5b8662a88dc4ac63f3304479e4e407e07f1ae1c03358b5d40bf

          SHA512

          bacb592f2495d4084a34fd6c283a1d2d9f5441f4a68e66e112308e2907dc78769f01c6e3df6179b8fc6a44bed0cfd9afe2bb1582bb599cb35e9a7b6a87dd7e19

          Download Submit

        • C:\Users\Admin\AppData\Roaming\KB00138886.exe
          Filesize

          177KB

          MD5

          f40a4a6faffea79774bdf8b9ade60c60

          SHA1

          ab74bb77dd0e123796930f2bef2d24d7e4c4cb04

          SHA256

          c912bf3bd256028d28d1b13e405ebd412c5ee7e6f8306e910fbef3c6bfcc43c9

          SHA512

          3d5d9560d8471d1f4465d25bd79c47201edce3641ee89809fea2fc9bc451f9ff2eb167bc39ec8b1322b1a381a7087ab95b31344b5e38b5a4c951b5dfe788c441

          Download Submit

        • memory/552-11-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/552-10-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/552-15-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/552-16-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/552-18-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1856-3-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1856-4-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1856-1-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1856-0-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1856-13-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download

        • memory/1856-2-0x0000000000400000-0x000000000046D000-memory.dmp

          Filesize

          436KB

          Download