caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
Size

72KB
MD5

e0770f68d015a398c13d8918a6751aa3
SHA1

7d7874784b9a2fe223531bac40d400e1d5bf8f8f
SHA256

caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6
SHA512

6555e264fd66f551f285a67e8383c4552e0be54442f619870fc79447a42cd4da4b9313811683a74c46d969bb2b668936045d68f16f4ed58cd7eba2106cb49b39
SSDEEP

1536:qFiusdglLI8cH+9g0FDDZtFMfav7V5F5erqjzssdQLXKvhCj18n:qsusdBBH+9g4mC7V5F5/zssdhsJ8n

Score

10^/10

persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1296 created 1020	1296	svchost.exe	9

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1572	123.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4800-132-0x00007FF75A030000-0x00007FF75A055000-memory.dmp	upx
behavioral1/memory/4800-135-0x00007FF75A030000-0x00007FF75A055000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1572	123.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\123.exe"	123.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
1572	123.exe
1572	123.exe
1572	123.exe
1572	123.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe
3460	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
Token: SeImpersonatePrivilege	4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
Token: SeTcbPrivilege	1296	svchost.exe
Token: SeTcbPrivilege	1296	svchost.exe
Token: SeDebugPrivilege	4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
Token: SeImpersonatePrivilege	4800	caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1572	1296	svchost.exe	87
PID 1296 wrote to memory of 1572	1296	svchost.exe	87
PID 1296 wrote to memory of 1572	1296	svchost.exe	87
PID 1572 wrote to memory of 3460	1572	123.exe	88
PID 1572 wrote to memory of 3460	1572	123.exe	88
PID 1572 wrote to memory of 3460	1572	123.exe	88
PID 1572 wrote to memory of 3460	1572	123.exe	88

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020
- C:\123.exe
  C:\123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1572
- - \??\c:\windows\SysWOW64\svchost.exe
    c:\windows\SysWOW64\svchost.exe
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3460

C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
"C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\123.exe

Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\123.exe

Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\libcef.dll

Filesize
90KB

MD5
12b71771467bb1d2d2f5f1a793836f7a

SHA1
8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

SHA256
ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

SHA512
59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

Download Submit
C:\libcef.dll

Filesize
90KB

MD5
12b71771467bb1d2d2f5f1a793836f7a

SHA1
8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

SHA256
ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

SHA512
59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

Download Submit
memory/3460-140-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/3460-143-0x0000000001190000-0x00000000011DE000-memory.dmp

Filesize
312KB

Download
memory/4800-132-0x00007FF75A030000-0x00007FF75A055000-memory.dmp

Filesize
148KB

Download
memory/4800-135-0x00007FF75A030000-0x00007FF75A055000-memory.dmp

Filesize
148KB

Download