df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c

Analysis

max time kernel
33s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Size

65KB
MD5

a150ead5cce3ec3c45c0760d8f8209f0
SHA1

6d37d530903d813709d1b3d9c83a18a7eb7ef896
SHA256

df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c
SHA512

d5d5ee6e90d56e5c18b13a6d54bc3f6cd4fb64efb73a0d008bfd6f2ec2a8f484c69ace957f799626a118fcc1b2142bae3b2a0368b08931f72d9f38e67688529f
SSDEEP

1536:E80RoKEC8nhr23KqL9PcA0Vm1rZ3EJaMxOvQ4600mvK6NB:0eKEdr235L9P0E1rkaMxOon03B

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
320	SETUP.EXE

Deletes itself 1 IoCs

pid	Process
1968	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
320	SETUP.EXE
320	SETUP.EXE
320	SETUP.EXE
320	SETUP.EXE

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pedadt.dll	SETUP.EXE
File created	C:\Windows\SysWOW64\tf0	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\pedadt.dll.LoG	SETUP.EXE

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\ = "MICROSOFT"	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32\ = "C:\\Windows\\SysWow64\\pedadt.dll"	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32\ThreadingModel = "Apartment"	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	SETUP.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
320	SETUP.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeBackupPrivilege	320	SETUP.EXE
Token: SeRestorePrivilege	320	SETUP.EXE
Token: SeBackupPrivilege	320	SETUP.EXE
Token: SeRestorePrivilege	320	SETUP.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
320	SETUP.EXE
320	SETUP.EXE
320	SETUP.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 884	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	27
PID 1620 wrote to memory of 884	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	27
PID 1620 wrote to memory of 884	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	27
PID 1620 wrote to memory of 884	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	27
PID 1620 wrote to memory of 824	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	29
PID 1620 wrote to memory of 824	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	29
PID 1620 wrote to memory of 824	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	29
PID 1620 wrote to memory of 824	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	29
PID 1620 wrote to memory of 980	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	30
PID 1620 wrote to memory of 980	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	30
PID 1620 wrote to memory of 980	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	30
PID 1620 wrote to memory of 980	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	30
PID 1620 wrote to memory of 2028	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	32
PID 1620 wrote to memory of 2028	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	32
PID 1620 wrote to memory of 2028	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	32
PID 1620 wrote to memory of 2028	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	32
PID 1620 wrote to memory of 1744	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	34
PID 1620 wrote to memory of 1744	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	34
PID 1620 wrote to memory of 1744	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	34
PID 1620 wrote to memory of 1744	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	34
PID 1620 wrote to memory of 1924	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	37
PID 1620 wrote to memory of 1924	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	37
PID 1620 wrote to memory of 1924	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	37
PID 1620 wrote to memory of 1924	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	37
PID 884 wrote to memory of 1492	884	net.exe	41
PID 884 wrote to memory of 1492	884	net.exe	41
PID 884 wrote to memory of 1492	884	net.exe	41
PID 884 wrote to memory of 1492	884	net.exe	41
PID 1924 wrote to memory of 756	1924	net.exe	44
PID 1924 wrote to memory of 756	1924	net.exe	44
PID 1924 wrote to memory of 756	1924	net.exe	44
PID 1924 wrote to memory of 756	1924	net.exe	44
PID 2028 wrote to memory of 2004	2028	net.exe	42
PID 2028 wrote to memory of 2004	2028	net.exe	42
PID 2028 wrote to memory of 2004	2028	net.exe	42
PID 2028 wrote to memory of 2004	2028	net.exe	42
PID 824 wrote to memory of 332	824	net.exe	40
PID 824 wrote to memory of 332	824	net.exe	40
PID 824 wrote to memory of 332	824	net.exe	40
PID 824 wrote to memory of 332	824	net.exe	40
PID 1744 wrote to memory of 1416	1744	net.exe	45
PID 1744 wrote to memory of 1416	1744	net.exe	45
PID 1744 wrote to memory of 1416	1744	net.exe	45
PID 1744 wrote to memory of 1416	1744	net.exe	45
PID 980 wrote to memory of 812	980	net.exe	43
PID 980 wrote to memory of 812	980	net.exe	43
PID 980 wrote to memory of 812	980	net.exe	43
PID 980 wrote to memory of 812	980	net.exe	43
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 320	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	39
PID 1620 wrote to memory of 1968	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	46
PID 1620 wrote to memory of 1968	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	46
PID 1620 wrote to memory of 1968	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	46
PID 1620 wrote to memory of 1968	1620	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	46

C:\Users\Admin\AppData\Local\Temp\df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
"C:\Users\Admin\AppData\Local\Temp\df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1492
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:332
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:812
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1416
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:756
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  - Deletes itself
  PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
\Windows\SysWOW64\pedadt.dll

Filesize
227KB

MD5
d34e189539979b8ed12d7e70b167c24f

SHA1
9f63d51764b71a7a3f38381a81b71f13b0f35ee9

SHA256
976124601f3c58a8c7cf40dcba918ad46679ee9fff77f9c8be1e4a8ac26e14fd

SHA512
bafe661c5e8df7f02d06dac883a317857c643b16f0237b619c2f9b30d33fe2c00886f7b600dc0ac5054fcdcd67a97d2a8a726788a5af17e1243ba5af742fb9a7

Download Submit
memory/320-75-0x0000000000520000-0x000000000052D000-memory.dmp

Filesize
52KB

Download
memory/320-70-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download