Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 08:56

General

  • Target

    c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe

  • Size

    119KB

  • MD5

    9643154395cef6ad892847d9d1806756

  • SHA1

    9be8440a9c34a60b58410b93bcff09b76a9d9bbf

  • SHA256

    c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f

  • SHA512

    9811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8

  • SSDEEP

    3072:2DQkrZoosbIfXJGWJGYvjKSFzPnqFR7Xe1ya+dLT:2DpoejJfm6zv2a1ya+pT

Malware Config

Signatures

  • Disables service(s) 3 TTPs
  • Modifies firewall policy service 3 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 3 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
    "C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe
      "C:\Users\Admin\AppData\Local\Temp\c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Adds Run key to start application
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\SysWOW64\sc.exe
        sc.exe config SharedAccess start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:3828
      • C:\Windows\SysWOW64\netsh.exe
        netsh.exe firewall set opmode mode=disable profile=all
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4060

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\MediaMangr0\btplayerctrl.exe

          Filesize

          119KB

          MD5

          9643154395cef6ad892847d9d1806756

          SHA1

          9be8440a9c34a60b58410b93bcff09b76a9d9bbf

          SHA256

          c0ebdb31e40c3fe62737041c72ec5e25f47ec29263dadc59369757946f753d0f

          SHA512

          9811c24d3ad44ca7079411103d4dd0a127d46db8cd22cca28b1b384273d63dedc6e6068e82cb6c8b53ceb5f31308d525709a4431a8e9c5126df79d57875236c8

        • C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\kymographs.dll

          Filesize

          66KB

          MD5

          42e4078c829a2e1d2734b0033847d2cc

          SHA1

          5f0279f9190c168d345e024f1e4b8739aec63cfc

          SHA256

          4cb8de133b9d26ba4d41ed9b4bae121e4b86760805d89f97331e2b5cbb4670b2

          SHA512

          56be830839f3a728cf844c1656a3cad1aed77d71754d5350b7133f4b02e5c947bcae5be23d7668f13255779ed8e51cc3001b831c76d777cb9e88343d23c093f2

        • memory/4012-6-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-11-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-13-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-17-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-18-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-19-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB

        • memory/4012-116-0x0000000000400000-0x000000000042C000-memory.dmp

          Filesize

          176KB