bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1

Analysis

max time kernel
153s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
Size

115KB
MD5

09a5d8071fdfd83f2fd7b723a5c15193
SHA1

6095c201f9c05aa94421c020499b945fda709d34
SHA256

bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1
SHA512

82bd0c21055d4501ed29e6c398fe8772b2e3226d8ab81c0ac78216075609d5cdc9216ebdeb6e2ffbe46cb884e2c8875b0fdbe66fc001f894ae58cbf5baedc982
SSDEEP

3072:GfVp/jp0hYkB+y5z83cRJbAERDaJVsPrFgVUfIqVkS:GtpEYW+y632JkEMsqeIqV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epthtl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Epthtl.exe"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epthtl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Epthtl.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\D:	iexplore.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994883"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374492491"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994883"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2616213587"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994883"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2648401451"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C47FDA63-5DB6-11ED-B696-4AA92575F981} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2616213587"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3064	mspaint.exe
3064	mspaint.exe
5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4220	IEXPLORE.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
Token: SeDebugPrivilege	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
Token: SeDebugPrivilege	3064	mspaint.exe
Token: SeDebugPrivilege	4496	svchost.exe
Token: SeDebugPrivilege	5004	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4220	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3064	mspaint.exe
3064	mspaint.exe
3064	mspaint.exe
3064	mspaint.exe
4220	IEXPLORE.EXE
4220	IEXPLORE.EXE
4072	IEXPLORE.EXE
4072	IEXPLORE.EXE
4072	IEXPLORE.EXE
4072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 4496	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 2952 wrote to memory of 5028	2952	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	82
PID 4496 wrote to memory of 3064	4496	svchost.exe	83
PID 4496 wrote to memory of 3064	4496	svchost.exe	83
PID 4496 wrote to memory of 3064	4496	svchost.exe	83
PID 5028 wrote to memory of 5004	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	87
PID 5028 wrote to memory of 5004	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	87
PID 5028 wrote to memory of 5004	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	87
PID 5004 wrote to memory of 4220	5004	iexplore.exe	88
PID 5004 wrote to memory of 4220	5004	iexplore.exe	88
PID 5028 wrote to memory of 2952	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	80
PID 5028 wrote to memory of 2952	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	80
PID 5028 wrote to memory of 4496	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 5028 wrote to memory of 4496	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	81
PID 5028 wrote to memory of 3064	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	83
PID 5028 wrote to memory of 3064	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	83
PID 5028 wrote to memory of 5004	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	87
PID 5028 wrote to memory of 5004	5028	bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe	87
PID 4220 wrote to memory of 4072	4220	IEXPLORE.EXE	89
PID 4220 wrote to memory of 4072	4220	IEXPLORE.EXE	89
PID 4220 wrote to memory of 4072	4220	IEXPLORE.EXE	89

C:\Users\Admin\AppData\Local\Temp\bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
"C:\Users\Admin\AppData\Local\Temp\bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    3⤵
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe
  "C:\Users\Admin\AppData\Local\Temp\bbe84e056b03e771e2f89deff57755b408c90e8aa04c5ce7b3173ba5a6a4c3f1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds Run key to start application
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4220 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2d2178c4ba2e01df79b6e787caecd70e

SHA1
32feba9571993a2bdccc68d6de1bdd68f82cfbf8

SHA256
ba9dee61d1e95e7b33bdf223da96a8348a890459853c5437cd7981520d43849d

SHA512
23d8a224158a47ed813aa0ffec86f915fe28eaed3612f0e93be64bef5bfe08044730a550a3b7546e131fc3810c39defd6602ef30ed2f058336b8e7c5b5cd238c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
4b637e590f6f227d18e4e35b6d709a72

SHA1
6f41d02fff4d86e7eb2e66883328294307ab933c

SHA256
f5e3d33293a542c7aea300892096ad286a6cbe424c11b985ba62c950fb8398a2

SHA512
d50d5d026ad297c9096db0a6135f204f17644e77c3053c016f51870ddc9eaeadad0c49324d620822ce940404466331828decdb138bcab50dcbcdfad67a1c14e6

Download Submit
memory/2952-145-0x0000000002710000-0x000000000275E000-memory.dmp

Filesize
312KB

Download
memory/2952-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-133-0x0000000002030000-0x0000000002045000-memory.dmp

Filesize
84KB

Download
memory/3064-149-0x0000000005A40000-0x0000000005A8E000-memory.dmp

Filesize
312KB

Download
memory/3064-147-0x0000000005A40000-0x0000000005A8E000-memory.dmp

Filesize
312KB

Download
memory/4496-146-0x0000000003200000-0x000000000324E000-memory.dmp

Filesize
312KB

Download
memory/4496-143-0x0000000000B40000-0x0000000000B61000-memory.dmp

Filesize
132KB

Download
memory/5028-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5028-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5028-148-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5028-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download