ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Size

786KB
MD5

40356d1c956ea718a1f69d42e43a04f0
SHA1

33866868f69916b64c7aa86dd7be87e8c54e5c58
SHA256

ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4
SHA512

29dcbfbc004339b4ab2ac3a88fdadf0170705576b4c3c91931cd1f3724967fa54a69a49dbd1139c93c359830f8ece90962e8b9cb83e3a0968ac232294d89746b
SSDEEP

24576:N7xW09uXqct8Kf68W6dDvX94m+k7qZ87UhJB7clI1:N7xW0vJKCF8DFb7lqJa21

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4884	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
4884	ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe

C:\Users\Admin\AppData\Local\Temp\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe
"C:\Users\Admin\AppData\Local\Temp\ab5e50dd43b3b53d0d874194be68648e0a97aeb5ac154578a4b33dc048bfaea4.exe"
1⤵
- Registers COM server for autorun
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4884-132-0x00000000031A0000-0x0000000003323000-memory.dmp

Filesize
1.5MB

Download
memory/4884-139-0x00000000031A0000-0x0000000003323000-memory.dmp

Filesize
1.5MB

Download
memory/4884-140-0x00000000031A0000-0x0000000003323000-memory.dmp

Filesize
1.5MB

Download
memory/4884-141-0x00000000031A0000-0x0000000003323000-memory.dmp

Filesize
1.5MB

Download