df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c

Analysis

max time kernel
137s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 21:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Size

65KB
MD5

a150ead5cce3ec3c45c0760d8f8209f0
SHA1

6d37d530903d813709d1b3d9c83a18a7eb7ef896
SHA256

df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c
SHA512

d5d5ee6e90d56e5c18b13a6d54bc3f6cd4fb64efb73a0d008bfd6f2ec2a8f484c69ace957f799626a118fcc1b2142bae3b2a0368b08931f72d9f38e67688529f
SSDEEP

1536:E80RoKEC8nhr23KqL9PcA0Vm1rZ3EJaMxOvQ4600mvK6NB:0eKEdr235L9P0E1rkaMxOon03B

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4584	SETUP.EXE

Loads dropped DLL 2 IoCs

pid	Process
4584	SETUP.EXE
4584	SETUP.EXE

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pedadt.dll	SETUP.EXE
File created	C:\Windows\SysWOW64\tf0	SETUP.EXE
File opened for modification	C:\Windows\SysWOW64\pedadt.dll.LoG	SETUP.EXE

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\ = "MICROSOFT"	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32\ThreadingModel = "Apartment"	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32	SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E907A48-400E-4EA8-9792-FFAE052D59E9}\InProcServer32\ = "C:\\Windows\\SysWow64\\pedadt.dll"	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	SETUP.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
4584	SETUP.EXE
4584	SETUP.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeDebugPrivilege	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
Token: SeBackupPrivilege	4584	SETUP.EXE
Token: SeRestorePrivilege	4584	SETUP.EXE
Token: SeBackupPrivilege	4584	SETUP.EXE
Token: SeRestorePrivilege	4584	SETUP.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4584	SETUP.EXE
4584	SETUP.EXE
4584	SETUP.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4436	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	80
PID 4148 wrote to memory of 4436	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	80
PID 4148 wrote to memory of 4436	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	80
PID 4148 wrote to memory of 2888	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	81
PID 4148 wrote to memory of 2888	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	81
PID 4148 wrote to memory of 2888	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	81
PID 4148 wrote to memory of 1528	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	84
PID 4148 wrote to memory of 1528	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	84
PID 4148 wrote to memory of 1528	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	84
PID 4148 wrote to memory of 4972	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	86
PID 4148 wrote to memory of 4972	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	86
PID 4148 wrote to memory of 4972	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	86
PID 4148 wrote to memory of 4684	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	87
PID 4148 wrote to memory of 4684	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	87
PID 4148 wrote to memory of 4684	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	87
PID 4148 wrote to memory of 4356	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	88
PID 4148 wrote to memory of 4356	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	88
PID 4148 wrote to memory of 4356	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	88
PID 4684 wrote to memory of 1884	4684	net.exe	97
PID 4684 wrote to memory of 1884	4684	net.exe	97
PID 4684 wrote to memory of 1884	4684	net.exe	97
PID 4356 wrote to memory of 1768	4356	net.exe	94
PID 4356 wrote to memory of 1768	4356	net.exe	94
PID 4356 wrote to memory of 1768	4356	net.exe	94
PID 4436 wrote to memory of 1860	4436	net.exe	98
PID 4436 wrote to memory of 1860	4436	net.exe	98
PID 4436 wrote to memory of 1860	4436	net.exe	98
PID 4148 wrote to memory of 4584	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	91
PID 4148 wrote to memory of 4584	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	91
PID 4148 wrote to memory of 4584	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	91
PID 4972 wrote to memory of 1772	4972	net.exe	96
PID 4972 wrote to memory of 1772	4972	net.exe	96
PID 4972 wrote to memory of 1772	4972	net.exe	96
PID 1528 wrote to memory of 4652	1528	net.exe	93
PID 1528 wrote to memory of 4652	1528	net.exe	93
PID 1528 wrote to memory of 4652	1528	net.exe	93
PID 2888 wrote to memory of 604	2888	net.exe	95
PID 2888 wrote to memory of 604	2888	net.exe	95
PID 2888 wrote to memory of 604	2888	net.exe	95
PID 4148 wrote to memory of 3196	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	100
PID 4148 wrote to memory of 3196	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	100
PID 4148 wrote to memory of 3196	4148	df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe	100

C:\Users\Admin\AppData\Local\Temp\df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe
"C:\Users\Admin\AppData\Local\Temp\df301ac6629e088796aff315db34106b466adac3b6879331da1570a2f611414c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1860
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:604
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:4652
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:1772
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1884
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:1768
- C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\NTDUBECT.EXE
  2⤵
  PID:3196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP.EXE

Filesize
19KB

MD5
d07468a081473a6e41c27a7a949700bf

SHA1
b9bea089783b3f97790801376fd1204037e61824

SHA256
684cce5a3423323d350206bece1a70750cf342c53ab6c315ca478bf705f47a00

SHA512
51e0fdf08f97bc9e1066de859f787efb10cd5a1e1fcd039ceb2c3eaf796fb4aef7f62fc9651c54b3c5a37139d523014e00df35ec23611a251fae1871b270c720

Download Submit
C:\Windows\SysWOW64\pedadt.dll

Filesize
227KB

MD5
d34e189539979b8ed12d7e70b167c24f

SHA1
9f63d51764b71a7a3f38381a81b71f13b0f35ee9

SHA256
976124601f3c58a8c7cf40dcba918ad46679ee9fff77f9c8be1e4a8ac26e14fd

SHA512
bafe661c5e8df7f02d06dac883a317857c643b16f0237b619c2f9b30d33fe2c00886f7b600dc0ac5054fcdcd67a97d2a8a726788a5af17e1243ba5af742fb9a7

Download Submit
C:\Windows\SysWOW64\pedadt.dll

Filesize
227KB

MD5
d34e189539979b8ed12d7e70b167c24f

SHA1
9f63d51764b71a7a3f38381a81b71f13b0f35ee9

SHA256
976124601f3c58a8c7cf40dcba918ad46679ee9fff77f9c8be1e4a8ac26e14fd

SHA512
bafe661c5e8df7f02d06dac883a317857c643b16f0237b619c2f9b30d33fe2c00886f7b600dc0ac5054fcdcd67a97d2a8a726788a5af17e1243ba5af742fb9a7

Download Submit
memory/4584-149-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download