57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131

Analysis

max time kernel
150s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Size

793KB
MD5

968a81d0b9741b391ab0e3214443c4f0
SHA1

243ed0425fb61ce1b1353c20db30e7899d459b05
SHA256

57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131
SHA512

b258ca5d645a53ef583e5b1c3a21fdc8d6294b57d7cd93c6958a3f0bf49ce7d8d448c497cbe1e5c51f4cc96f2a9c44d6ea8b62a8b80470f8df1a1e2a1362c19f
SSDEEP

24576:9whQR/xu+dhLxGRPNq1jQl1wo0/W3Wc6q3:9wuHPGJNwjQjwf/43

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
632	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
632	57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe

C:\Users\Admin\AppData\Local\Temp\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe
"C:\Users\Admin\AppData\Local\Temp\57cc01d0254794b84e64f9047bdbb04e96cdffbd362dab0f0982280f3b1cd131.exe"
1⤵
- Registers COM server for autorun
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-132-0x00000000025C0000-0x0000000002743000-memory.dmp

Filesize
1.5MB

Download
memory/632-139-0x00000000025C0000-0x0000000002743000-memory.dmp

Filesize
1.5MB

Download
memory/632-140-0x00000000025C0000-0x0000000002743000-memory.dmp

Filesize
1.5MB

Download
memory/632-141-0x00000000025C0000-0x0000000002743000-memory.dmp

Filesize
1.5MB

Download