Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DUMP_00A10...iR.exe

windows10-2004-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

DgH5SjZFle...DI.exe

windows10-2004-x64

5

Dumped_.exe

windows7-x64

7

Dumped_.exe

windows10-2004-x64

7

EntrateSetup.exe

windows7-x64

9

EntrateSetup.exe

windows10-2004-x64

9

ErrorFileRemover.exe

windows7-x64

10

ErrorFileRemover.exe

windows10-2004-x64

10

ExtraTools.exe

windows7-x64

7

ExtraTools.exe

windows10-2004-x64

7

F45F47EDCE...54.exe

windows7-x64

10

F45F47EDCE...54.exe

windows10-2004-x64

10

decrypt_00...00.exe

windows7-x64

6

decrypt_00...00.exe

windows10-2004-x64

6

dffde400ad...3d.exe

windows7-x64

10

dffde400ad...3d.exe

windows10-2004-x64

10

dircrypt.deobf.exe

windows7-x64

10

dircrypt.deobf.exe

windows10-2004-x64

10

dma locker 4.0.exe

windows7-x64

9

dma locker 4.0.exe

windows10-2004-x64

9

downloader.js

windows7-x64

10

downloader.js

windows10-2004-x64

8

dump.mem.exe

windows7-x64

6

dump.mem.exe

windows10-2004-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e0ff79cc94...ss.exe

windows10-2004-x64

10

e37dc428ec...ad.vbs

windows7-x64

1

e37dc428ec...ad.vbs

windows10-2004-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e5df2d114c...8a.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dircrypt.deobf.exe

  • Size

    321KB

  • MD5

    d224637a6b6e3001753d9922e749d00d

  • SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

  • SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

  • SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

  • SSDEEP

    6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf

Score
10/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
    "C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe
      "C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:636
      • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
        "C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TsGngBIh.exe
    Filesize

    321KB

    MD5

    d224637a6b6e3001753d9922e749d00d

    SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

    SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

    SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
    Filesize

    24KB

    MD5

    1d27a7210f54a047264f23c7506e9506

    SHA1

    4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

    SHA256

    431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

    SHA512

    077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

    Download Submit

  • C:\Users\Admin\Desktop\ConvertFromInvoke.xlsx
    Filesize

    20KB

    MD5

    53a08f84804005b603250b2bd3440dcb

    SHA1

    d070e5f6532c1fbc6a3b716794c7b7a6f8de9840

    SHA256

    e6761f7d29b5e56bacbee0b93a4d2bbb22413d08afa2f812fa935bb30732406a

    SHA512

    ed58439ccc05fa4f1318aea87b82d6370941a72633bc7dbf9e93fb2ad11c480f07fe0359da90277cbaeb783777b9114b9511d3eec920119809baf499c3d28fe9

    Download Submit

  • C:\Users\Admin\Desktop\DenyOut.jpeg
    Filesize

    355KB

    MD5

    417ecfeff42c115bf636175d26d7a74c

    SHA1

    ee653ecffb54877c1ff7f0904ecf9d5488e8fb4c

    SHA256

    6e4b9f51b8e8d7c275b73f890e4f878b43702791958c19a71621459dee4af886

    SHA512

    058cee16e2bba1b0e0d2677023f7abb61baf92f4628fd24bb8a23db08c902a5307f74d791440915d802f84050a70896635644b0f151756f65e534170722fb191

    Download Submit

  • C:\Users\Admin\Desktop\MountRemove.zip
    Filesize

    134KB

    MD5

    f2e32f1166dd7d5b6e02c70a5a5ea51b

    SHA1

    c01d3f0a50dbe1f0dcff1de4e071fa5f8f894751

    SHA256

    0d0049849ed1ca235cd85df8e778d98186425a950a06b717366d5fe879e53faf

    SHA512

    19b0b303f8727e1406a5f40f86aa5c5389f7c39fbd5cb715172c6332cd14c4b7a3321c2300e883234183637d8d99bca254e508b33f1ad450f572f386a7eae765

    Download Submit

  • C:\Users\Admin\Desktop\ShowSwitch.rtf
    Filesize

    272KB

    MD5

    1301ccb48fed791f5ff7fbcdbb4522fc

    SHA1

    7b8a0a0a052946e0e2da76dc8c68822a1aa80a85

    SHA256

    210553b216d1e42150e7313757c5edcf2c653f59bb7efbcee9da66bc6d68966a

    SHA512

    8dbb8410d9ce81aede28d4830749b515529d07f5c2bc5e52ebe7223b29a4b5d80ea52c9cfd33d5537f34ee8e5a40b0aac82847ff3d19b76b84b77aafa63993b4

    Download Submit

  • C:\Users\Admin\Desktop\SplitFormat.docx
    Filesize

    33KB

    MD5

    f509ef6c31a2963fda6b1e79e9e544a6

    SHA1

    3fc584ec1c8d455a69e1fba6337a0f5f56874a2c

    SHA256

    eeb2e9012d9d3728879043e4365467b5365232f95bd95b3548cd720d73373a17

    SHA512

    bab34b50f1e65f4dfb3ab0896bfffcd6f5410eedce4fbdeb09c6055ff15130928aab8b029b6782f29af9a1cdb61c03c340e7377b62bc151b3b09bab184beee53

    Download Submit

  • C:\Users\Admin\Desktop\WatchSuspend.zip
    Filesize

    370KB

    MD5

    82609be0f6343d8e8d0d89159a9f9f7d

    SHA1

    67076039a99b8e62d6eacb4586e6c30ea4872bf9

    SHA256

    f13b07dfad669d47ac0a88a59677bbd0602d7e2a7c4e07638fdef235cd2cb941

    SHA512

    918199255c4802dc3a7418e1b3c23b81e8d5167f3131bf9816d54ff3290d766de8f5c5528dddfbaafd24dd2b0f20924aa788181b668d408404f18ee1d64f2a84

    Download Submit

  • C:\Users\Admin\Documents\CopyAssert.xls
    Filesize

    601KB

    MD5

    d95e1dfa89473cc83b276409997bf833

    SHA1

    f7b4e71e67f44234b5f2a25a042901a321670d7c

    SHA256

    514ec776d8c39de5d334b024cd359c80820f28f762924319797a57e102989297

    SHA512

    c5f7bf00ce1e1c1cd6886c245c0f1e5020fc5ec0b9af25cec014de708bc90c1dec8beea65f861a30c34f74f022228632b9dfafd9f9a72434ee0324e4fc6fae97

    Download Submit

  • C:\Users\Admin\Documents\InstallAdd.rtf
    Filesize

    681KB

    MD5

    2271ab816e43d75d30b736b356dcfb35

    SHA1

    bb4155835a15c753e9ff21bd955d3ab5d2bb5f11

    SHA256

    3ac41f74614931be16fe79d72bff3f6c33f1ff1fad679ee137a3931d323ce082

    SHA512

    312a427002931029bb36d03c5efb4501f48dc93d426bf99cb76e553d8465fede08c1c94234009450ee6abd3c61b05980631ed08383e0284dcce39bc37b0f8784

    Download Submit

  • C:\Users\Admin\Documents\PopFind.rtf
    Filesize

    541KB

    MD5

    82d4db3e9f6269d7568c42948aa44d83

    SHA1

    643f5c6324550646fdb20c41b9b120985d22a33e

    SHA256

    1a6066f67a70bfead028e3f6923ffe684a2e5fb87dd68b6d01c0433dd6d7c5cf

    SHA512

    87379704a1dbfd9431627ba2b3050b66cbe37084ab7f8738108b78ef861e4f30dd09f0f5addbf06b5aad5126fa4185f3bf0e3f403b1bfc7214ffb19b225c6101

    Download Submit

  • C:\Users\Admin\Documents\SendUnprotect.pdf
    Filesize

    776KB

    MD5

    b6ba14f7ff87de059ab99cc11b87885f

    SHA1

    32020a6258fb7b3a1ae222613eb5a9e1e3a56e10

    SHA256

    313621951a26cde61f331e4a1cdb5c1cac7e1c753827b0338cf3fb7aba70617a

    SHA512

    c0c9bf7cb8ce30504ebb86d86fa33ffae618fdf4e53aa0d7a74734ec446f4853da5d3d89ee7326d2c30b54a307a2e9c77c89ba1eaa3641eab67503dc43d8f5b5

    Download Submit

  • C:\Users\Admin\Documents\SuspendWatch.docm
    Filesize

    380KB

    MD5

    37ca8751f1ba8b9e1b67a73759980e99

    SHA1

    ffa27755dcffc35bdcac7fbc5bd904447f5a0945

    SHA256

    c0bc2c461468c2cf030b62645aec3a161cc2d101ba720e67171df7e24a582ba4

    SHA512

    0ad9e95f997ed126320afa494125bf798f7553a1041acd4e9b1eadc10f1190450869e343162e89d4bb94d7b6a6fe6253a41a8bd153d4bbfe9c2c139108098935

    Download Submit

  • memory/3168-27-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3168-181-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download