aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

Analysis

max time kernel
163s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
Size

198KB
MD5

a134c1aa25e2134f76c40591cae70ff0
SHA1

a93d183c03f31d75b0bedafc80fbff26aadb0174
SHA256

aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f
SHA512

772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081
SSDEEP

3072:nBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikzG26LOUp:nK5ArKjbAxXSaegUqGeGpBohMzi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2664	Systtion.exe
3100	ctfmtify.exe
1448	~4882.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\proqPing = "C:\\Users\\Admin\\AppData\\Roaming\\dccwange\\Systtion.exe"	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ctfmtify.exe	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	Systtion.exe
2664	Systtion.exe
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe
3068	Explorer.EXE
3068	Explorer.EXE
3100	ctfmtify.exe
3100	ctfmtify.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2664	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	78
PID 2288 wrote to memory of 2664	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	78
PID 2288 wrote to memory of 2664	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	78
PID 2664 wrote to memory of 1448	2664	Systtion.exe	80
PID 2664 wrote to memory of 1448	2664	Systtion.exe	80
PID 2288 wrote to memory of 3644	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	81
PID 2288 wrote to memory of 3644	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	81
PID 2288 wrote to memory of 3644	2288	aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe	81
PID 1448 wrote to memory of 3068	1448	~4882.tmp	30
PID 3644 wrote to memory of 4960	3644	cmd.exe	83
PID 3644 wrote to memory of 4960	3644	cmd.exe	83
PID 3644 wrote to memory of 4960	3644	cmd.exe	83

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4960	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3068
- C:\Users\Admin\AppData\Local\Temp\aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe
  "C:\Users\Admin\AppData\Local\Temp\aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Roaming\dccwange\Systtion.exe
    "C:\Users\Admin\AppData\Roaming\dccwange\Systtion.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\~4882.tmp
      "C:\Users\Admin\AppData\Local\Temp\~4882.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    /C 240601328.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f.exe"
      4⤵
      Views/modifies file attributes
      PID:4960

C:\Windows\SysWOW64\ctfmtify.exe
C:\Windows\SysWOW64\ctfmtify.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240601328.cmd

Filesize
291B

MD5
215eb32f1f742f25101aef156aca73f4

SHA1
67e5c6b6f541bf6882ef39f800ab9413b0ac9369

SHA256
b289ad9bee67df22a4b57c08a8930245f7eb42752a427395fd1729487930defa

SHA512
61afc433d9cdb0b8dc867c3b6976e9725a56b8d04c006f7c4279ff8382c5da59c0ad800d15f4512fb1ce1753df19e7fc1f1bbb4e3a38f3e8f7af013b67b719d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4882.tmp

Filesize
6KB

MD5
bc4308b450902509dfa763a2b8a50768

SHA1
99342935b82034c7e572be813d06c3e5ab5bdf6e

SHA256
dd50c803e66827139e079a964f36ac1f0f8732a05bc309bd685125e8b5807230

SHA512
82bdab8a5d76975f5b9fe4eaf96063409993cf5bb3e54ba5edf9f521b96d9f7a5881ec93681ff5955ebc8e30e3f1812d8f31d53d4027ed7e91822c8d59a474e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4882.tmp

Filesize
6KB

MD5
bc4308b450902509dfa763a2b8a50768

SHA1
99342935b82034c7e572be813d06c3e5ab5bdf6e

SHA256
dd50c803e66827139e079a964f36ac1f0f8732a05bc309bd685125e8b5807230

SHA512
82bdab8a5d76975f5b9fe4eaf96063409993cf5bb3e54ba5edf9f521b96d9f7a5881ec93681ff5955ebc8e30e3f1812d8f31d53d4027ed7e91822c8d59a474e1

Download Submit
C:\Users\Admin\AppData\Roaming\dccwange\Systtion.exe

Filesize
172KB

MD5
3881f670e02a831e43af201c4bf9855f

SHA1
79996897530a5e6dc4f65c2b155f8a2d31a26fc6

SHA256
ab3c7824ac814855a628656612239eee48809d9233d75b6a9d4e4cc6c6e3a605

SHA512
cbf62a95052f6d6fc8f36f5bcdea1f42a8290b9efd792a3f8a3db55a12273f282908ae69bda451cd517e2dc57b60601f91e251bdbc181ef2a745312ebf2f1af4

Download Submit
C:\Users\Admin\AppData\Roaming\dccwange\Systtion.exe

Filesize
172KB

MD5
3881f670e02a831e43af201c4bf9855f

SHA1
79996897530a5e6dc4f65c2b155f8a2d31a26fc6

SHA256
ab3c7824ac814855a628656612239eee48809d9233d75b6a9d4e4cc6c6e3a605

SHA512
cbf62a95052f6d6fc8f36f5bcdea1f42a8290b9efd792a3f8a3db55a12273f282908ae69bda451cd517e2dc57b60601f91e251bdbc181ef2a745312ebf2f1af4

Download Submit
C:\Windows\SysWOW64\ctfmtify.exe

Filesize
198KB

MD5
a134c1aa25e2134f76c40591cae70ff0

SHA1
a93d183c03f31d75b0bedafc80fbff26aadb0174

SHA256
aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

SHA512
772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081

Download Submit
C:\Windows\SysWOW64\ctfmtify.exe

Filesize
198KB

MD5
a134c1aa25e2134f76c40591cae70ff0

SHA1
a93d183c03f31d75b0bedafc80fbff26aadb0174

SHA256
aa8ee65a6aeac42c1f8cee56698e37f04232fdda7c55254e2298b445a5ff048f

SHA512
772446e674f22f6413d463dde2c9de46ea346c0e7d4fc2740d0e18ade266b297e38f906d385e972bb85a650a04a951261f4fffc4b8309989a472a8bf73332081

Download Submit
memory/2288-132-0x00000000006C0000-0x0000000000704000-memory.dmp

Filesize
272KB

Download
memory/3068-144-0x0000000002D90000-0x0000000002DD1000-memory.dmp

Filesize
260KB

Download
memory/3100-145-0x0000000000AA0000-0x0000000000AE4000-memory.dmp

Filesize
272KB

Download