a2dc4d9a7b686612cdbe2bd80c1855360ac160b1321aa4a5e305525311fd9118

Analysis

max time kernel
120s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01/02/2022, 09:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2dc4d9a7b686612cdbe2bd80c1855360ac160b1321aa4a5e305525311fd9118.exe
Size

52KB
MD5

2d7fa5c028c4c043797410afa65d39d1
SHA1

5332440b06117c2d308bed01e15da0396d5f8167
SHA256

a2dc4d9a7b686612cdbe2bd80c1855360ac160b1321aa4a5e305525311fd9118
SHA512

9981aebb3f6abfc100a0f6fa498ca6f6e801b3e77c9d3694007b3eadc55fdfdb9d1f613a7e2019041f42fa230484291b0a632a686d7a4c1c6a3e9155d6d14702

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4332	svchost.exe
Token: SeCreatePagefilePrivilege	4332	svchost.exe
Token: SeShutdownPrivilege	4332	svchost.exe
Token: SeCreatePagefilePrivilege	4332	svchost.exe
Token: SeShutdownPrivilege	4332	svchost.exe
Token: SeCreatePagefilePrivilege	4332	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a2dc4d9a7b686612cdbe2bd80c1855360ac160b1321aa4a5e305525311fd9118.exe
"C:\Users\Admin\AppData\Local\Temp\a2dc4d9a7b686612cdbe2bd80c1855360ac160b1321aa4a5e305525311fd9118.exe"
1⤵
PID:1324

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a7ee9ebca1fb1a482c75c77bbbb3b8a4 Z6J1tJw5akqPxBq4QgSssQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4332

Network

DNS

settings-win.data.microsoft.com

Remote address:

8.8.8.8:53

Request

settings-win.data.microsoft.com

IN A

Response

settings-win.data.microsoft.com

IN CNAME

settingsfd-geo.trafficmanager.net

settingsfd-geo.trafficmanager.net

IN A

20.73.194.208
DNS

settings-win.data.microsoft.com

Remote address:

8.8.8.8:53

Request

settings-win.data.microsoft.com

IN A

Response

settings-win.data.microsoft.com

IN CNAME

settingsfd-geo.trafficmanager.net

settingsfd-geo.trafficmanager.net

IN A

52.167.17.97

104.110.191.133:80

322 B
7
104.110.191.133:80

322 B
7
20.73.194.208:443

settings-win.data.microsoft.com

tls, https

2.6kB
9.5kB
15
15
52.167.17.97:443

settings-win.data.microsoft.com

tls, https

2.0kB
4.4kB
12
10
52.167.17.97:443

settings-win.data.microsoft.com

tls, https

1.3kB
4.4kB
12
10
52.167.17.97:443

settings-win.data.microsoft.com

tls, https

1.6kB
4.4kB
12
10
52.167.17.97:443

settings-win.data.microsoft.com

tls, https

1.8kB
4.4kB
12
10

8.8.8.8:53

settings-win.data.microsoft.com

dns

77 B
140 B
1
1

DNS Request

settings-win.data.microsoft.com

DNS Response

20.73.194.208
8.8.8.8:53

settings-win.data.microsoft.com

dns

77 B
140 B
1
1

DNS Request

settings-win.data.microsoft.com

DNS Response

52.167.17.97

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4332-130-0x000002BED4D90000-0x000002BED4DA0000-memory.dmp

Filesize
64KB

Download
memory/4332-137-0x000002BED7B10000-0x000002BED7B14000-memory.dmp

Filesize
16KB

Download