df9aff8d1a7003c662d20b7ec05d489b7dbd02ebc3034ac61081b5c819791d81

Resubmissions

12/11/2021, 06:19

211112-g3lmcahgfn 10

12/11/2021, 06:05

211112-gtfpqscgb4 10

Analysis

max time kernel
600s
max time network
602s
platform
windows7_x64
resource
win7-en-20211014
submitted
12/11/2021, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Priyte's Adventure C++.exe
Size

304KB
MD5

2a37da5634b1e4b188fc5ef86704e41b
SHA1

540ef0e5a197322a29bbf91f41c6abecdd2a4e35
SHA256

df9aff8d1a7003c662d20b7ec05d489b7dbd02ebc3034ac61081b5c819791d81
SHA512

2fe2ca833e71e7b3ed6ad022d8945db72803483b0358c5f165c775bbe1a7896fe791f296b404b1482ad6bff888ab9ee230bb7c3ef45373687614703f496d2d14

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\BloodFox = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Priyte's Adventure C++.exe\""	Priyte's Adventure C++.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoVault = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Priyte's Adventure C++.exe"	Priyte's Adventure C++.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Priyte's Adventure C++.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Priyte's Adventure C++.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1324	vssvc.exe
Token: SeRestorePrivilege	1324	vssvc.exe
Token: SeAuditPrivilege	1324	vssvc.exe
Token: SeDebugPrivilege	1820	Priyte's Adventure C++.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1820	Priyte's Adventure C++.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	Priyte's Adventure C++.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Priyte's Adventure C++.exe

C:\Users\Admin\AppData\Local\Temp\Priyte's Adventure C++.exe
"C:\Users\Admin\AppData\Local\Temp\Priyte's Adventure C++.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1820-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1820-58-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1820-59-0x0000000004C85000-0x0000000004C96000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads