Overview

overview

10

Static

static

3

61c91ec597...96.exe

windows7-x64

10

61c91ec597...96.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61c91ec5971cab5e0fee5fb661a8423795053296.exe

  • Size

    692KB

  • MD5

    5c39bea66ad2ef5fb46c6056d16f8d20

  • SHA1

    61c91ec5971cab5e0fee5fb661a8423795053296

  • SHA256

    7479e0c0e99eade4fae849781d8db1adf9f4f5c6a680d15efa659c0a26b85516

  • SHA512

    64a9c257f678d7f077fde3dad5bb56674498b2fc3730b4f5b3f804dcea5421ad265071979e5cfe3952f151ae35ae4aeabd1aaca5d114da8177b06c07e930cfb4

  • SSDEEP

    12288:eqDefdyZPJZ0oqJ7EL6ssaziHfzB2r13VhcMBVDeO8lnfIgMC+:5hJpy7ELNWUZ3VuqVDeO8e

Score
10/10
discoveryevasionexecutionpersistencetrojanupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c91ec5971cab5e0fee5fb661a8423795053296.exe
    "C:\Users\Admin\AppData\Local\Temp\61c91ec5971cab5e0fee5fb661a8423795053296.exe"
    1⤵
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\9RhfV6L9\serv.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:2900
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableVirtualization /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2796
      • C:\Windows\SysWOW64\sc.exe
        sc stop windefend
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2636
      • C:\Windows\SysWOW64\sc.exe
        sc stop msmpsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2824
      • C:\Windows\SysWOW64\sc.exe
        sc stop wuauserv
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2352
      • C:\Windows\SysWOW64\sc.exe
        sc stop wscsvc
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2628
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -w 1000 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2792
      • C:\Windows\SysWOW64\sc.exe
        sc config windefend start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2740
      • C:\Windows\SysWOW64\sc.exe
        sc config msmpsvc start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2572
      • C:\Windows\SysWOW64\sc.exe
        sc config wuauserv start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2828
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2036
      • C:\Windows\SysWOW64\sc.exe
        sc config luafv start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2028
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -w 1000 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1776
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSASCui /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:856
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\9RhfV6L9\serv.bat
    Filesize

    824B

    MD5

    d6b3f8b8ad6b3964be094ce2f2f02539

    SHA1

    a2033d926f6b5ad5dd5c6dc5c88b429c13449309

    SHA256

    9580ab41a89b8233c3d3637c893e8cd7d0f658c183807576cb250a2ab70133b3

    SHA512

    fe09769a3ef0336cb5a193619d8fffa413cfd862a82a83512b8576cd1bcf849981a775e7c9f9cee4a96a41198f76ab98a65997734beb509825ab61a977334376

    Download Submit

  • C:\Users\Admin\Desktop\System Doctor 2014 support.url
    Filesize

    112B

    MD5

    d201abad2d2dca1ccd401e4419421267

    SHA1

    773e9bc9f8adc19db7bf4cb45e66765a2c0da0d8

    SHA256

    85a638446470746e8b6329fa052c8e3a9e3e53ba6e800228498f524778d5fb5a

    SHA512

    75c585d579b4cef4d0f124f2d6eb01482747a591f5ea708f53d717fc810c9c830519dc0742d26f523f4214ca791e1b5c200b45a1654f6bd044b0b4e1f9a11856

    Download Submit

  • \Users\Admin\AppData\Roaming\9RhfV6L9\9RhfV6L9.exe
    Filesize

    692KB

    MD5

    5c39bea66ad2ef5fb46c6056d16f8d20

    SHA1

    61c91ec5971cab5e0fee5fb661a8423795053296

    SHA256

    7479e0c0e99eade4fae849781d8db1adf9f4f5c6a680d15efa659c0a26b85516

    SHA512

    64a9c257f678d7f077fde3dad5bb56674498b2fc3730b4f5b3f804dcea5421ad265071979e5cfe3952f151ae35ae4aeabd1aaca5d114da8177b06c07e930cfb4

    Download Submit

  • memory/268-35-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-37-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-1-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-33-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-34-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-0-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/268-36-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-4-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-39-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-40-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-41-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-42-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-45-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-66-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/268-67-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download