15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09

Analysis

max time kernel
91s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
Size

29KB
MD5

81fd5c930e38d482459cb239733571a0
SHA1

a348cd17bd63f0ef43c66e13a81730eb467af5e8
SHA256

15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09
SHA512

e93608c1be6bee42b46ea69483e287a3ef5330803a4c901828a54455a15cdf1a4ca67822f3b074e151bcc848bdd4af8246204b2d26e32ef2403bbc9f62b9bec8
SSDEEP

768:bkFv1J+LgDuOm/cMnRV2/5pdrxMprMnKlwfcqAO0BI:bkYLYMnR8lr8oyQiO1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4092	MayaBabyMain.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
4092	MayaBabyMain.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\me.bat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	attrib.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
4092	MayaBabyMain.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
Token: SeDebugPrivilege	4092	MayaBabyMain.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 368	4092	MayaBabyMain.exe	82
PID 4092 wrote to memory of 368	4092	MayaBabyMain.exe	82
PID 4092 wrote to memory of 368	4092	MayaBabyMain.exe	82
PID 1316 wrote to memory of 1360	1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe	84
PID 1316 wrote to memory of 1360	1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe	84
PID 1316 wrote to memory of 1360	1316	15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe	84
PID 368 wrote to memory of 1876	368	cmd.exe	86
PID 368 wrote to memory of 1876	368	cmd.exe	86
PID 368 wrote to memory of 1876	368	cmd.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe
"C:\Users\Admin\AppData\Local\Temp\15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
  2⤵
  PID:1360

C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r -a C:\Windows\system32\me.bat
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
e06782d0b2624273e49cab6fdfbca003

SHA1
45b7f58f741733319ff3821a40c71e2d7a9501fc

SHA256
6d91811228b0606b45ba00a66a7829bf147dc03a895ec50fe18726d291927d41

SHA512
e8d12a7c05de3207fab9c482d63b38671055935ea5ca7c85b0981577414f72743fb44a8cb6f530d4daccb995e13ad3e13f588409c793ee2978decd3c6d2e53c6

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
e06782d0b2624273e49cab6fdfbca003

SHA1
45b7f58f741733319ff3821a40c71e2d7a9501fc

SHA256
6d91811228b0606b45ba00a66a7829bf147dc03a895ec50fe18726d291927d41

SHA512
e8d12a7c05de3207fab9c482d63b38671055935ea5ca7c85b0981577414f72743fb44a8cb6f530d4daccb995e13ad3e13f588409c793ee2978decd3c6d2e53c6

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
e06782d0b2624273e49cab6fdfbca003

SHA1
45b7f58f741733319ff3821a40c71e2d7a9501fc

SHA256
6d91811228b0606b45ba00a66a7829bf147dc03a895ec50fe18726d291927d41

SHA512
e8d12a7c05de3207fab9c482d63b38671055935ea5ca7c85b0981577414f72743fb44a8cb6f530d4daccb995e13ad3e13f588409c793ee2978decd3c6d2e53c6

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe

Filesize
29KB

MD5
81fd5c930e38d482459cb239733571a0

SHA1
a348cd17bd63f0ef43c66e13a81730eb467af5e8

SHA256
15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09

SHA512
e93608c1be6bee42b46ea69483e287a3ef5330803a4c901828a54455a15cdf1a4ca67822f3b074e151bcc848bdd4af8246204b2d26e32ef2403bbc9f62b9bec8

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe

Filesize
29KB

MD5
81fd5c930e38d482459cb239733571a0

SHA1
a348cd17bd63f0ef43c66e13a81730eb467af5e8

SHA256
15417700179188753b6996ad3e557ca810169675e29505d0aaccbc025bb76b09

SHA512
e93608c1be6bee42b46ea69483e287a3ef5330803a4c901828a54455a15cdf1a4ca67822f3b074e151bcc848bdd4af8246204b2d26e32ef2403bbc9f62b9bec8

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat

Filesize
3KB

MD5
5a2a1a482b3329da4389f48fa53c1c27

SHA1
1570d0291eeb4963715b6224e425659adb4d7865

SHA256
f60b98379ef24d31742a8872f16d8a487f32ca590a364b5594da3f9ce4c07849

SHA512
3e161e32660d5a80c11a9517b9b56e102afd8e4527bac989d5229fbc8fe05ad185478a26d0167e91f9148dc3b172c8821bbd585245647501d22708be8d70d538

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
162B

MD5
f5ca46311bf64d6e3d033fb1c875b6ce

SHA1
ae91fa1b22e4dbcbc71ed346f4d337dd5c7d6fde

SHA256
418c4b6c71fe56cbfad8a7c1d8e7970cc6378385db0573ebd85771dcb69ab2d0

SHA512
642de93e2ffce657c8d596d2f55ce86e2c91440d70dca810f796794f6220dba971392e8fb6fa72fdbc5599ea35b9d0f04ae5d1c8fc29e6b27ef9197bfb85e29d

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
162B

MD5
f5ca46311bf64d6e3d033fb1c875b6ce

SHA1
ae91fa1b22e4dbcbc71ed346f4d337dd5c7d6fde

SHA256
418c4b6c71fe56cbfad8a7c1d8e7970cc6378385db0573ebd85771dcb69ab2d0

SHA512
642de93e2ffce657c8d596d2f55ce86e2c91440d70dca810f796794f6220dba971392e8fb6fa72fdbc5599ea35b9d0f04ae5d1c8fc29e6b27ef9197bfb85e29d

Download Submit
memory/1316-133-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1316-146-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4092-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4092-141-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download