Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DUMP_00A10...iR.exe

windows10-2004-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

DgH5SjZFle...DI.exe

windows10-2004-x64

5

Dumped_.exe

windows7-x64

7

Dumped_.exe

windows10-2004-x64

7

EntrateSetup.exe

windows7-x64

9

EntrateSetup.exe

windows10-2004-x64

9

ErrorFileRemover.exe

windows7-x64

10

ErrorFileRemover.exe

windows10-2004-x64

10

ExtraTools.exe

windows7-x64

7

ExtraTools.exe

windows10-2004-x64

7

F45F47EDCE...54.exe

windows7-x64

10

F45F47EDCE...54.exe

windows10-2004-x64

10

decrypt_00...00.exe

windows7-x64

6

decrypt_00...00.exe

windows10-2004-x64

6

dffde400ad...3d.exe

windows7-x64

10

dffde400ad...3d.exe

windows10-2004-x64

10

dircrypt.deobf.exe

windows7-x64

10

dircrypt.deobf.exe

windows10-2004-x64

10

dma locker 4.0.exe

windows7-x64

9

dma locker 4.0.exe

windows10-2004-x64

9

downloader.js

windows7-x64

10

downloader.js

windows10-2004-x64

8

dump.mem.exe

windows7-x64

6

dump.mem.exe

windows10-2004-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e0ff79cc94...ss.exe

windows10-2004-x64

10

e37dc428ec...ad.vbs

windows7-x64

1

e37dc428ec...ad.vbs

windows10-2004-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e5df2d114c...8a.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dircrypt.deobf.exe

  • Size

    321KB

  • MD5

    d224637a6b6e3001753d9922e749d00d

  • SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

  • SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

  • SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

  • SSDEEP

    6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf

Score
10/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
    "C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe
      "C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2088
      • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
        "C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZEGqJDzz.exe
    Filesize

    321KB

    MD5

    d224637a6b6e3001753d9922e749d00d

    SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

    SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

    SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
    Filesize

    24KB

    MD5

    1d27a7210f54a047264f23c7506e9506

    SHA1

    4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

    SHA256

    431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

    SHA512

    077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

    Download Submit

  • C:\Users\Admin\Desktop\ConvertToExport.jpeg
    Filesize

    496KB

    MD5

    5cd869d25ed9b70cad0fcd729dbe93a8

    SHA1

    18927946eaf87e45ec906c7b0f739205fffa0074

    SHA256

    555f93ff05472882f6f72d44bbbe46f36e323a2fb2d9b7abe6b06010385cfbe4

    SHA512

    fe7827c6bbf76874041cd818645b8af930e23aea55d426f3c436fc521ae93ec6ad32cb99d5f25f5b042732a0280fc0c481e02c305e2a5bde94372fa248ac9b56

    Download Submit

  • C:\Users\Admin\Desktop\TestExpand.xlsx
    Filesize

    22KB

    MD5

    78b526de070a85b6cf6410d013d2a1a6

    SHA1

    6403f4013d1c5e636452274fa02436fc64f83e7e

    SHA256

    9a6a19655dc4ab926544e1f1da8750f4119ca615ac73e2c4da9ef4186e6a9e2a

    SHA512

    e1418a6fe5acbcdda7fddf41835e6d9973ddfbf8c2b36204b53a8733ba1078b63aae28d314eb51b90e0a43896b803ca4920bc4ea6bf8bc18b0650e2cbf32226e

    Download Submit

  • C:\Users\Admin\Documents\ApproveFormat.rtf
    Filesize

    1.8MB

    MD5

    55931f508169e2e57ea9e1fe0c0e87d1

    SHA1

    612f3b45efe3162130307d7fe3dfafb8f3bcfd8e

    SHA256

    ac71d5d33cf3cafc5ffc57265118fd5d3cbc5b895681245c16faf49f14ce9a56

    SHA512

    1a94083a6fd1116a9b65b56fcfe3ae7b46f2f5caa8a35ee33630e46c6a0ec48c8add3ac6ffe2b4709cbba19c8287040d7fc63b7229fa558c715be58961e67b80

    Download Submit

  • C:\Users\Admin\Documents\DebugClear.doc
    Filesize

    1.3MB

    MD5

    baf2faff2c457dff4872bb6bb421004a

    SHA1

    5aa26906097a18d62c69daba985cd0f72ffe3b31

    SHA256

    8494ac3bbb2c179bc191e4e73145eb8b2b79e156e2e331546dae155a808827e3

    SHA512

    434367c313dd1e27384858cea0e39d6534f5a94e2b81406575c5b308f4d70e692221a43acb4e31166a4683f3bbffc4359bdebf6f818d686187d449e54a6ce559

    Download Submit

  • C:\Users\Admin\Documents\DebugLimit.docm
    Filesize

    674KB

    MD5

    9da8b164f22bdb22f184142e1cfe1cb6

    SHA1

    f480bb1eda037e838df784609fd0ac3bc77565a2

    SHA256

    3f13673feca10f32155cce12590601de9b14bc7d4e2f911e8e5af994690acc6b

    SHA512

    5b7f4607dc315d47d8cbb44d70082773071cbcb267ca51a40817be8607ccf1a415b37e3467eab7e23078d3612e3e33222b5e723da49df57e95f65aa47f5db0d1

    Download Submit

  • C:\Users\Admin\Documents\NewPop.doc
    Filesize

    774KB

    MD5

    7f8895f63bbfd4693eb3a190e941e4c9

    SHA1

    b5ca49754a588b86583e262a75ef7fa23108df29

    SHA256

    f92dd76f5e53816cbf1070444520cb5198f5b47c600bd4a03d20ccf11bd3f2df

    SHA512

    61c924f26c54898fbdb3ca9aa6c3ad0d6bae610386f3bbc2dee833554359d42c0452d6382618915eae65a69e138a7903082c960404438efabb8165374fdb0f0b

    Download Submit

  • C:\Users\Admin\Documents\StepFormat.doc
    Filesize

    1000KB

    MD5

    bc2a99d4fed8fce68e5ee04c2ef762d8

    SHA1

    da216639ef63fe5f02320024d1895f38b860e631

    SHA256

    d333a98377a8eb3ed57cf88d616959a394d83ac53dd866ec8bd54ed10aa02ddb

    SHA512

    a17c87e81acc75c5ebfc2feea61f8d6518adccef8db10cf9567bfd5fb63d153b5300f6edde601c1fcb8250ac1023a3231e567605e36f63173a077a3513a70f61

    Download Submit

  • C:\Users\Admin\Documents\UnpublishRead.docx
    Filesize

    30KB

    MD5

    7fb0e9946503165c130615db7a4f28fe

    SHA1

    f87b0a82e019088a0f69662f16cdf0e77d9ba1e4

    SHA256

    f3cac6ec3b761436663adaefad6b4b73c6a1a40b5a2d364973b25b43c27a2bef

    SHA512

    9b33b0563972c92c3e6a6722dd71b55ffebe95130d1cebdf3df0a00a014e5b41dc657c71fc38d6142ae9b379ef8dc8634977bceb9a2f4e0fcb4e0c674bc400f2

    Download Submit

  • C:\Users\Admin\Downloads\ConvertFromStep.zip
    Filesize

    730KB

    MD5

    4d76b46a325f5b9b905f90e3a348a936

    SHA1

    48522542ec191d967d2d172fac14ebea4a53182d

    SHA256

    0bd416bb32df60b7c2dc20863512c76cd9cd5c59a0f5d489807e3d819cadfa91

    SHA512

    f2c206a6d9b6c116ed008e9b0f4ba5ee75fa7919701cec2720d36736c8206d58ca056cc0ffe7b6566dd0b56f28cba36bdb717036871a19607dd683731dc6d706

    Download Submit

  • C:\Users\Admin\Downloads\CopyClose.xlsm
    Filesize

    586KB

    MD5

    5d812c5cd71a5138ccc14b90db5d19bb

    SHA1

    fb53724c8c9e87300c60e64248ef77ee2d0348bb

    SHA256

    d57bea2ff1395e34662bf68b951a7d8cd1abd742f24f17e2e5358040d3b66f56

    SHA512

    8fb745044652ed242407c974bdca86646695fe44c88f533520c75ff8b81a08493dffbd4e02f13481f903f2961cc54641ba0abae23a75e0d411d70104f7432c62

    Download Submit

  • C:\Users\Admin\Downloads\EnableSet.doc
    Filesize

    1.0MB

    MD5

    a7b3504b51d9c9ad922cfb68fab066ec

    SHA1

    6f571660f7af85584201dfbc5b937d2e73d1d5ea

    SHA256

    7cd40cf425416f45a9c764b71eb548b7e9e0470a1e18f220997e0a1bcd62251c

    SHA512

    5d828c68ee4709ae70f9f3a7a2b7acfe2058a485dff88c8475bac4f14d091f32a5ec931714ce0e718bc83ff5c1ab86ea6134fd668a9e80f75eb3113cf8bc3e8c

    Download Submit

  • C:\Users\Admin\Downloads\WaitBackup.rtf
    Filesize

    986KB

    MD5

    e5941e096adc9dee7df216a2571da334

    SHA1

    022917d9e0e2640c9b1105ffd16afb5435f41b50

    SHA256

    0b6b2f585a1005570caa4ceccc71ce8940310cb77629a83ca8ed236a04c1aef4

    SHA512

    033b2c21e7b63e352e48c35b4c46788e7cad0dd022be0fc792ee440df2ce0b7df0f3bb06bc54173e4981a801309c837c459853252cd96ab8fd0fb2ed88687446

    Download Submit

  • C:\Users\Admin\Music\AssertGet.xls
    Filesize

    1.2MB

    MD5

    f3aa0c84cb7d2aefc20c49f0d59184a0

    SHA1

    d29dd7dd912c00e5f05a9cc4f04920814f3c4f96

    SHA256

    8b1192569bef499da82ff8fd0deab26d7188d6c0c1c7a6859f2affbdca635cca

    SHA512

    98e27369f4aa3430e1a69d841917ff42b7132ea0f583e16500bd86dfd76b3528d7d43ac31951bb4bdb35bdd6bbddeefe1f615819d058c50fe62d03c30107da46

    Download Submit

  • memory/2088-25-0x00000000004A0000-0x00000000004B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2508-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2508-154-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download