9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5

Analysis

max time kernel
165s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe
Size

102KB
MD5

72a0bcd44636f493860ff5f5e158593c
SHA1

5e54b30b0007288414374888ab793c70c3eb5e91
SHA256

9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5
SHA512

2324bf801322d1b8b1f67400cd874124007d01b0c709c69ea1cd808f82d53e589c71a6d709a00c117abceee7b1e2ba440ef5d9c9250fd8af692b0875bb986e8e
SSDEEP

1536:sPx0rrKy8tDIGXW91/ga2s/1cR+if2uT3kEcf2ph4jSSHl64/:E0f58tDIKW91/kstcR+uTtVLJY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	kelly.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mcbuilder.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\rasdial.exe	kelly.exe
File created	C:\Windows\SysWOW64\sdbinst.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	kelly.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\mmc.exe	kelly.exe
File created	C:\Windows\SysWOW64\msiexec.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\prevhost.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\fixmapi.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\fltMC.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\Windows.WARP.JITService.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\LaunchWinApp.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\print.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\printui.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\doskey.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\runas.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	kelly.exe
File created	C:\Windows\SysWOW64\subst.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\tttracer.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\scrnsave.scr	kelly.exe
File opened for modification	C:\Windows\SysWOW64\credwiz.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	kelly.exe
File created	C:\Windows\SysWOW64\setup16.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIADAP.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\pcaui.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\dxdiag.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\setup16.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\format.com	kelly.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	kelly.exe
File created	C:\Windows\SysWOW64\find.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\iscsicpl.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\ncpa.cpl$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\Fondue.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\GamePanel.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe$$$	kelly.exe
File created	C:\Windows\SysWOW64\charmap.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\sc.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\TsWpfWrp.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\irprops.cpl$$$	kelly.exe
File created	C:\Windows\SysWOW64\mstsc.exe$$$	kelly.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	kelly.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe	kelly.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe	kelly.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\etfsboot.com	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe	kelly.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\rdrservicesupdater.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	kelly.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe	kelly.exe
File opened for modification	C:\Windows\bfsvc.exe	kelly.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config.comments	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	kelly.exe
File opened for modification	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe	kelly.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	kelly.exe
File opened for modification	C:\Windows\notepad.exe	kelly.exe
File opened for modification	C:\Windows\splwow64.exe	kelly.exe
File opened for modification	C:\Windows\write.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.comments	kelly.exe
File opened for modification	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	kelly.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe	kelly.exe
File opened for modification	C:\Windows\servicing\TrustedInstaller.exe	kelly.exe
File opened for modification	C:\Windows\Fonts\GlobalMonospace.CompositeFont	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe	kelly.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	kelly.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	kelly.exe
544	kelly.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	kelly.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 544	3788	9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe	83
PID 3788 wrote to memory of 544	3788	9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe	83
PID 3788 wrote to memory of 544	3788	9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe	83

C:\Users\Admin\AppData\Local\Temp\9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe
"C:\Users\Admin\AppData\Local\Temp\9e8e1d1344d5461ddb2e864ff17252e3ef58401c506c573c1d4a52bbfea056b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\kelly.exe
  "kelly.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kelly.exe

Filesize
125KB

MD5
cb365978f54d1fcfbcfd03cd0e101aad

SHA1
9ef8d4455ce52810e2ce2fc9a9230ebd6356b7a2

SHA256
7f55f6768c1e7017f2dddc66b2031ae01852becc33f396afa79f02f5a31d4680

SHA512
76e7b1360da4f80f59f61ce7e6ee02bce9562406af4320e02a20efbda6040a6535fba13b208b10aa56b66c36731f69c3b92297e41560bb4be8d3546de4b824d1

Download Submit
C:\Windows\SysWOW64\kelly.exe

Filesize
125KB

MD5
cb365978f54d1fcfbcfd03cd0e101aad

SHA1
9ef8d4455ce52810e2ce2fc9a9230ebd6356b7a2

SHA256
7f55f6768c1e7017f2dddc66b2031ae01852becc33f396afa79f02f5a31d4680

SHA512
76e7b1360da4f80f59f61ce7e6ee02bce9562406af4320e02a20efbda6040a6535fba13b208b10aa56b66c36731f69c3b92297e41560bb4be8d3546de4b824d1

Download Submit