Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

Dumped_.exe

windows7-x64

7

EntrateSetup.exe

windows7-x64

9

ErrorFileRemover.exe

windows7-x64

10

ExtraTools.exe

windows7-x64

7

F45F47EDCE...54.exe

windows7-x64

10

decrypt_00...00.exe

windows7-x64

6

dffde400ad...3d.exe

windows7-x64

10

dircrypt.deobf.exe

windows7-x64

10

dma locker 4.0.exe

windows7-x64

9

downloader.js

windows7-x64

10

dump.mem.exe

windows7-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e37dc428ec...ad.vbs

windows7-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e6c4ae4709...ss.exe

windows7-x64

7

e77df2ce34...2d.exe

windows7-x64

1

e8e07496df...d2.exe

windows7-x64

ea8292721a...1e.exe

windows7-x64

5

eaa857c95f...er.dll

windows7-x64

1

ed3a685ca6...91.exe

windows7-x64

9

edffa07d66...9d5.js

windows7-x64

10

encrypter.exe

windows7-x64

10

encryptor_...81.exe

windows7-x64

9

f002618c01...35.apk

windows7-x64

3

f213e54c85...ea.exe

windows7-x64

1

f2c8eee2cd...3f.exe

windows7-x64

10

f31bfe95e3...7_.exe

windows7-x64

7

f6a8d7a429...da.exe

windows7-x64

10

f915110765...da.exe

windows7-x64

7

fb8823e949...-0.dll

windows7-x64

1

Analysis

  • max time kernel
    600s
  • max time network
    581s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dircrypt.deobf.exe

  • Size

    321KB

  • MD5

    d224637a6b6e3001753d9922e749d00d

  • SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

  • SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

  • SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

  • SSDEEP

    6144:rHpp6ZEmJSr/49JSpIGOGsX5HWY7ydvxHlcaAy0iWYOcG4BDhnxD28ixv7uDphY+:zuYQJUaGsX7/Qwgylf

Score
10/10
discoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe
    "C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe
      "C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • UAC bypass
      • Windows security bypass
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2524
      • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
        "C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe
    Filesize

    321KB

    MD5

    d224637a6b6e3001753d9922e749d00d

    SHA1

    bacb2313289e00a1933b7984dd1cbef01c8019ee

    SHA256

    9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263

    SHA512

    08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe
    Filesize

    24KB

    MD5

    1d27a7210f54a047264f23c7506e9506

    SHA1

    4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527

    SHA256

    431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9

    SHA512

    077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

    Download Submit

  • C:\Users\Admin\Desktop\JoinAssert.xlsx
    Filesize

    21KB

    MD5

    9f5c80903acba638dd3378dfbf1dd4d8

    SHA1

    28497eb0083eab2fd2333d1ec416991d94b60647

    SHA256

    8e336acd36fa58c52bb0e31d74c05798ec5ebe32a03517109888cf4f36608386

    SHA512

    3d56d5505843e7209c349426d0ec4a20474ce7baa296981e51a2d25201a291fa71043140187ce237614ae0f26384630ca899199eab1c88931e08f34fb4c1ce9b

    Download Submit

  • C:\Users\Admin\Desktop\ProtectOpen.jpeg
    Filesize

    335KB

    MD5

    cb54fdcec39b06b8a0d8ad9a7d15277f

    SHA1

    c132d948b9eb84218146030a242be84dacaf0164

    SHA256

    86237bb49cf8e599d0ed25888f52824c0252769e11b6ab1469ca6514bba16b48

    SHA512

    58830d9751172e47700adc47dd35cfcbc322439c6a1b89510468eabdfcd1413b6d59eedfb7d896336f40dc3c2f862ea1cccc66095f931c41fb6633fa14b2dfe9

    Download Submit

  • C:\Users\Admin\Desktop\SubmitRestore.docx
    Filesize

    34KB

    MD5

    4446612912a5ec8d5d8cd95f9509ce70

    SHA1

    366a195c1a924229370a4bd8560a6e39f3cc8aa4

    SHA256

    4fc6806875418bead9760fb9c509454187fc27010e992401cb517302cda3503e

    SHA512

    c3c9a12f7cf45e0e4d31176bf4d2114a7bda022f73a714f06fdc1935aa913e37dcf2d7b920bbbaacf79bcab2f6e3b72f455b123380b1f26612796f630963b723

    Download Submit

  • C:\Users\Admin\Documents\AssertGroup.doc
    Filesize

    771KB

    MD5

    c0fb2b2ac91ee80444a2e217a06223e2

    SHA1

    6d175d49a3189d166e8872879460c700673093c2

    SHA256

    d609444710b4d168fe9d73c553b5b3bc6d7365d955626e4974b611b042c8c186

    SHA512

    1a8cf8b33edddcdecfd245b4a8b0976bd8919dab71b436c3c0fe7f1434a3d237d056c4877cfb171bdb6283c78305b97ea6a95615b946ddda2ab866718293f40c

    Download Submit

  • C:\Users\Admin\Documents\ConvertToSplit.rtf
    Filesize

    681KB

    MD5

    6d6378d05a3007f8832799060d9fea65

    SHA1

    1c43561323710792bf743093e8e7fbaecc78d6a9

    SHA256

    da15ef2a93668ea7018378be023e5935d8532238af6213ef7afb46d863d1bac2

    SHA512

    98fcb18c8df98760478acb35b8ae5e637eb87522224d78e2c6a9d258b587f3c2335dda0a273424f573227ed4df252bd79156cca11cb663ded1cb7fce3c9cb1a7

    Download Submit

  • C:\Users\Admin\Documents\RegisterDismount.xls
    Filesize

    585KB

    MD5

    95d34c5a89e4c47af4091c10204ef64e

    SHA1

    808bbe8f54d5d1074a7c7cbe9c238178238aa43f

    SHA256

    53b53dfa2935552953d3dd3f3faedec83b21072c431486e2656b5df999a1e697

    SHA512

    df008ed997949756dc0bda7ade5015b0352ed7a0a17eb1599c7ca9b6ffd5f2a512c592fecae1bc8f0f92737fb55251f7133f16d681b3989d7221c4408c9bb66f

    Download Submit

  • C:\Users\Admin\Documents\ShowUpdate.docm
    Filesize

    482KB

    MD5

    cfba4c7fb5729350d59b76e28a94392f

    SHA1

    67f66f41d581e5f69cc87c88ec24707625afc180

    SHA256

    fbb11cd10f2dfade3409743102b87cf8c5d58a94f6060781ab3bddebc2ec040e

    SHA512

    15ed14139385bddfbe7a76db78ac60f2c30610f0fcc8a208bf1e6fb4c492588762ef95cb738cb70dfc31a97b222c358c2b2d7092725da7366a728adf363b3661

    Download Submit

  • C:\Users\Admin\Downloads\FindMerge.zip
    Filesize

    401KB

    MD5

    6ce6ae1f0d89cce9550fef820039f565

    SHA1

    d1cf05034bafdd9de877218240fcabed1c33ca0e

    SHA256

    f10a43c8fa4acbd67533d9aa43d39a79b541ee09d1e093b640499213bf137a7f

    SHA512

    77fe4910ff5fdbb76733b2f6b007f3600fe3dff9b7c6a715d986f3e6d25c90ca0921cf1892c9f98c93c062a52b46c2a3849879adf91b76c137b10c0200b856a8

    Download Submit

  • C:\Users\Admin\Downloads\PushRedo.xlsm
    Filesize

    1.5MB

    MD5

    285ec44441eb5fc7786bb15aee6d225b

    SHA1

    d14c09ce5374212ced30a15abfe87d52f1814200

    SHA256

    0e4f15361f21eaf86a9fec68ca0235c85e2084cd368c12d219591df35f1bb711

    SHA512

    07df721b34b21789aa3a4bbb4b357bf93ada104a937e04bf1c4f44a781de3e3662d7fdbbb02a4c4bf5a9642d7b4f264952f95af67aa5779187efcc82ea2e795f

    Download Submit

  • C:\Users\Admin\Music\DebugSelect.doc
    Filesize

    433KB

    MD5

    5267c8ab6be78c8b0c850382fbf80b66

    SHA1

    23fb9aa85c177e8bd204619f9e743cd3c6bd8777

    SHA256

    5b6a8591689486e39e2b27e6ac0270290655b09d2b2368750c6173079fe823e8

    SHA512

    22c3cbf3fc53688a47fb54040a50b9fa6e9b851e2b3100a440898bbcbe13a1555a614082436c36dc32e29a46822dc263f50f5f6f38b48dfef037d91c7b5f4830

    Download Submit

  • C:\Users\Admin\Music\TestWatch.pdf
    Filesize

    417KB

    MD5

    3759f2af5beab4c66a061a6a46e5b2dc

    SHA1

    0eabae664d3a38ac57693dabafc75f80b144bd51

    SHA256

    f5b0e654f76eaf7c376e11309ea94807d4b35339995b70a564dbf3e092152132

    SHA512

    206ce46f187be0df586c1ba48fe0c9c35cb271110767627710e6b99b87999425ebb95ee095d2b820647f46c8a4cab274f7d21c2c8ea65a214bd21a51e931a436

    Download Submit

  • memory/1544-32-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1544-186-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2524-27-0x0000000000560000-0x0000000000574000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2524-25-0x0000000000560000-0x0000000000574000-memory.dmp

    Filesize

    80KB

    Download