0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78

Analysis

max time kernel
165s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 15:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe
Size

132KB
MD5

822a513f24b55f76f92aff31447b91ca
SHA1

3bdbe6668db40a4de353073a84125d3f39ed999e
SHA256

0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78
SHA512

8b3b1236c532c9f011309886be278513dfad39eda42706c64f294599266c06ce1ca57b2a55285264af8fc052e9213a05815dede007d08734f4dd88489ca66262
SSDEEP

3072:pMPcvqBCJvM6VPabBYG2rGPXklgR+R1szfy:UOcKFC7klh4O

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4440	setdebugnt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	setdebugnt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft® ActiveX Debugger NT = "\"c:\\windows\\setdebugnt.exe\""	setdebugnt.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\setdebugnt.exe	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe
File created	C:\Windows\ieupdate.dat	setdebugnt.exe
File created	\??\c:\windows\setdebugnt.exe	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4808	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe
4440	setdebugnt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4440	4808	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe	79
PID 4808 wrote to memory of 4440	4808	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe	79
PID 4808 wrote to memory of 4440	4808	0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe	79

C:\Users\Admin\AppData\Local\Temp\0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe
"C:\Users\Admin\AppData\Local\Temp\0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- \??\c:\windows\setdebugnt.exe
  c:\windows\setdebugnt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4440

Network

DNS

www.supernet.speedserv.com

setdebugnt.exe

Remote address:

8.8.8.8:53

Request

www.supernet.speedserv.com

IN A

Response
DNS

smtp.mail.yahoo.com.br

setdebugnt.exe

Remote address:

8.8.8.8:53

Request

smtp.mail.yahoo.com.br

IN A

Response

smtp.mail.yahoo.com.br

IN CNAME

smtp.mail.yahoo.com

smtp.mail.yahoo.com

IN CNAME

smtp.mail.global.gm0.yahoodns.net

smtp.mail.global.gm0.yahoodns.net

IN A

87.248.97.36
DNS

106.89.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.89.54.20.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

209.197.3.8:80

46 B
40 B
1
1
72.21.91.29:80

46 B
40 B
1
1
87.248.97.36:25

smtp.mail.yahoo.com.br

setdebugnt.exe

260 B
5
8.238.20.126:80

322 B
7
20.54.89.106:443

260 B
5
13.89.179.8:443

322 B
7
8.238.20.126:80

322 B
7
8.238.20.126:80

322 B
7
8.253.208.120:80

322 B
7

8.8.8.8:53

www.supernet.speedserv.com

dns

setdebugnt.exe

72 B
141 B
1
1

DNS Request

www.supernet.speedserv.com
8.8.8.8:53

smtp.mail.yahoo.com.br

dns

setdebugnt.exe

68 B
164 B
1
1

DNS Request

smtp.mail.yahoo.com.br

DNS Response

87.248.97.36
8.8.8.8:53

106.89.54.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

106.89.54.20.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\setdebugnt.exe

Filesize
132KB

MD5
822a513f24b55f76f92aff31447b91ca

SHA1
3bdbe6668db40a4de353073a84125d3f39ed999e

SHA256
0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78

SHA512
8b3b1236c532c9f011309886be278513dfad39eda42706c64f294599266c06ce1ca57b2a55285264af8fc052e9213a05815dede007d08734f4dd88489ca66262

Download Submit
\??\c:\windows\setdebugnt.exe

Filesize
132KB

MD5
822a513f24b55f76f92aff31447b91ca

SHA1
3bdbe6668db40a4de353073a84125d3f39ed999e

SHA256
0e137f7645e4ad425c9b9f62b3e4030c74c437f8dd073aabd94826abf9a7ac78

SHA512
8b3b1236c532c9f011309886be278513dfad39eda42706c64f294599266c06ce1ca57b2a55285264af8fc052e9213a05815dede007d08734f4dd88489ca66262

Download Submit
memory/4440-140-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4440-142-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4808-132-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/4808-141-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.