7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe
Size

793KB
MD5

84b5811ca5a7b52c8d3df97c8481cd40
SHA1

1fb2cd0a87f7522e49d1ab6c20315405ee0ea874
SHA256

7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834
SHA512

db16101e167c1fd709f0301398bad2594ed834ad6c610fd71f17e2f84b5a382de97f7195ae55b1ddf302ca8d84d50573bb54ad2b6c9f47ae472e86db5ab9f362
SSDEEP

24576:j1Rt36NQUQfsCZJVm1g0FkwUqEkOCyw8KGsIifCYH:jR6NQhsCZLm1g0FkwJEXPoC8

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	setup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3\\setup.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3\\setup.exe"	setup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3\\setup.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37d848d3\\setup.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2384	setup.exe
2384	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2384	2140	7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe	82
PID 2140 wrote to memory of 2384	2140	7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe	82
PID 2140 wrote to memory of 2384	2140	7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe	82

C:\Users\Admin\AppData\Local\Temp\7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe
"C:\Users\Admin\AppData\Local\Temp\7c172ec7ba1803e0106065216a0f8840bae93e16357d89d9206ad33cccb05834.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\37d848d3\setup.exe
  "C:\Users\Admin\AppData\Local\Temp/37d848d3/setup.exe" ProfileFileName=step0.ini
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\boot.dat

Filesize
1KB

MD5
006bb5d4955e8b539afc413eb10c183b

SHA1
2f7e9309271048f4beecddd3632c422d4ca19852

SHA256
136472a8f1212856a24f158aac4a9ec48e9109b025c984e3988c5a8cfcfe8837

SHA512
5e454355f1b2103973595eb8a5d01979405eb802a659fa13b890d032fff1321e5919c989bd4bd4cdd97d85d96851f8bbddeaa4485983eca8fc12482dcd805da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\installer-config.dat

Filesize
4KB

MD5
9e81bb82a1ae6e9323fdc1d46a561904

SHA1
32de2c2c79b5a849e3a967e653ce372ae10a0142

SHA256
a8218daa14622cd1cd7e822c74aa686f87e0afca9ee41eb48d2ef8cc29add5ea

SHA512
10e356fe68090713ed85002c2a1f8afc52dcc06744c44cf0266b730089c05ac312640b92b66c086d4f1fbb8609fdeb4b34e393f32f11fafdfdadafa216cb83c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\installer.dat

Filesize
34KB

MD5
545390d29b63954b7a3bdc5da8d5761d

SHA1
4d2a227fee05d6682f718fcb567825f4a04d2aa7

SHA256
90814e67da7cfb0826937ec935562d6f8663b64159ee8f9bd3dbc71cbe263c26

SHA512
bbf0869b4143fcb095e8d7f7dcc8dc2ae8ab6899317072f1af94ae51d393e583071cd4c96dd398c649747f0a072f664f825422a25457fec13809ce77b2212521

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\new-screen.dat

Filesize
2KB

MD5
a569b2637d244040df5c07207724e5b5

SHA1
64bc7873c74e40ab794f4a49aa01079a70d00094

SHA256
081f00d28a89b52810e9f468719d2b3aa6aafbe81770cc658b63019d7166d511

SHA512
011a72ac621f84dbdf906c96e81c99d43c0476047261eeb31bd2679eba76eecf3bced3c2ebe7db5e1b9f6a46b4146151668b071f7597e866bffb2a7abb55bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\step0.ini

Filesize
15KB

MD5
5a89773eff66832c69c02aa4e3f79a13

SHA1
96151c8e725be419133b4e12fbb94038bf44fe68

SHA256
93cd8b28babbc6f2bcd464a31ede15af61064dcbcce5ee7e6a00bbcc9029b1d6

SHA512
457c2a29fba4524bd1917a88bf212e2135d5807859f7e7d131ecab5e9cf217d49288a5d5b0a91c07dc01011d726a2b3a5eea688cc244f3bbfa79a419f1c149be

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\installer\step0.ini

Filesize
26KB

MD5
4a933f1e4fe7c6da7727b7a4c127a895

SHA1
44f47f22b5985d96a4052f6d36b07043e13057cd

SHA256
03f0ccd6dcad20b4c7a15aec86b7685a6897894260b47ccee1882593ff64a60a

SHA512
0990bf2ec9acedfbf029f50a9c0147cdee77fa0e2e6c744179c6e9c9af4691178b684d8a56390819b3f90a21b7d8f03f441b4305cc74404f0bad8952636cf21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\37d848d3\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit