ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2

Analysis

max time kernel
136s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Size

128KB
MD5

30be235af22923ddad497197b5d6dd90
SHA1

304afb175b90717072cbed8d4d96a7ba6f88b2de
SHA256

ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2
SHA512

68fd51c9be62fe3f75962e419cf24007b8658b2e0ad675eef976789a7a777478856cfc5cd4b04f09d89a6c5fb9a1843b08e077bdf79792b730de1d220bc0e7e4
SSDEEP

1536:FVbhkVJCbqdl7Df6JmtVBPuO74EVre/BwjNCG1j3T1PhpdOlGGuRx+Bkqp951SkJ:/bif6Jmtek4E1e7szBPzQlvvtJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1768	xbee.exe
1472	xbee.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ricvtq = "C:\\Users\\Admin\\AppData\\Roaming\\xbee.exe"	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1768 set thread context of 1472	1768	xbee.exe	29

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
Token: SeSecurityPrivilege	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1000 wrote to memory of 1696	1000	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	27
PID 1696 wrote to memory of 1768	1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	28
PID 1696 wrote to memory of 1768	1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	28
PID 1696 wrote to memory of 1768	1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	28
PID 1696 wrote to memory of 1768	1696	ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe	28
PID 1768 wrote to memory of 1472	1768	xbee.exe	29
PID 1768 wrote to memory of 1472	1768	xbee.exe	29
PID 1768 wrote to memory of 1472	1768	xbee.exe	29
PID 1768 wrote to memory of 1472	1768	xbee.exe	29
PID 1768 wrote to memory of 1472	1768	xbee.exe	29
PID 1768 wrote to memory of 1472	1768	xbee.exe	29

C:\Users\Admin\AppData\Local\Temp\ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
"C:\Users\Admin\AppData\Local\Temp\ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
  C:\Users\Admin\AppData\Local\Temp\ed9559d5ae8705e33ac5a05c22c6d67aab383fe6342a160e388d086f308d26a2.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Roaming\xbee.exe
    C:\Users\Admin\AppData\Roaming\xbee.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Roaming\xbee.exe
      C:\Users\Admin\AppData\Roaming\xbee.exe
      4⤵
      Executes dropped EXE
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xbee.exe

Filesize
128KB

MD5
6233238cfb59e299e284c1b149e05ec0

SHA1
0fc2ed2b9e9b980020b4a223065e45dd6d131aab

SHA256
0bf298900daaed98bd4d2c7a678a039dda4311d7ef2c5a9c772ea7d2f394684f

SHA512
f86be9dfbf4b1117ecafc378ad74e573709a9eeb95d87a107a53be7ec862721ee84277f4c3dd225661dcbc04bfdb9331fe686aa707620ce5c43a5f52ced86212

Download Submit
C:\Users\Admin\AppData\Roaming\xbee.exe

Filesize
128KB

MD5
6233238cfb59e299e284c1b149e05ec0

SHA1
0fc2ed2b9e9b980020b4a223065e45dd6d131aab

SHA256
0bf298900daaed98bd4d2c7a678a039dda4311d7ef2c5a9c772ea7d2f394684f

SHA512
f86be9dfbf4b1117ecafc378ad74e573709a9eeb95d87a107a53be7ec862721ee84277f4c3dd225661dcbc04bfdb9331fe686aa707620ce5c43a5f52ced86212

Download Submit
C:\Users\Admin\AppData\Roaming\xbee.exe

Filesize
128KB

MD5
6233238cfb59e299e284c1b149e05ec0

SHA1
0fc2ed2b9e9b980020b4a223065e45dd6d131aab

SHA256
0bf298900daaed98bd4d2c7a678a039dda4311d7ef2c5a9c772ea7d2f394684f

SHA512
f86be9dfbf4b1117ecafc378ad74e573709a9eeb95d87a107a53be7ec862721ee84277f4c3dd225661dcbc04bfdb9331fe686aa707620ce5c43a5f52ced86212

Download Submit
\Users\Admin\AppData\Roaming\xbee.exe

Filesize
128KB

MD5
6233238cfb59e299e284c1b149e05ec0

SHA1
0fc2ed2b9e9b980020b4a223065e45dd6d131aab

SHA256
0bf298900daaed98bd4d2c7a678a039dda4311d7ef2c5a9c772ea7d2f394684f

SHA512
f86be9dfbf4b1117ecafc378ad74e573709a9eeb95d87a107a53be7ec862721ee84277f4c3dd225661dcbc04bfdb9331fe686aa707620ce5c43a5f52ced86212

Download Submit
\Users\Admin\AppData\Roaming\xbee.exe

Filesize
128KB

MD5
6233238cfb59e299e284c1b149e05ec0

SHA1
0fc2ed2b9e9b980020b4a223065e45dd6d131aab

SHA256
0bf298900daaed98bd4d2c7a678a039dda4311d7ef2c5a9c772ea7d2f394684f

SHA512
f86be9dfbf4b1117ecafc378ad74e573709a9eeb95d87a107a53be7ec862721ee84277f4c3dd225661dcbc04bfdb9331fe686aa707620ce5c43a5f52ced86212

Download Submit
memory/1472-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1472-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1696-59-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1696-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download