99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63

Analysis

max time kernel
164s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe
Size

783KB
MD5

0ef1cf7eb7e04d7909e207cc13882c40
SHA1

d8dffe56820652bc54f995b4f6c974c3508e1c35
SHA256

99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63
SHA512

afda7d4b0ab3da5bf973689d5df15d2ca44bf4ad091c3cacd10e2cbe8e87b559ab9e3e0521bb58ef61901096a4856d0e3a970a6adba325995dea3eac4c562b98
SSDEEP

24576:/1Rt36NQ3fsCZtg2d50j1DegVrbRmBIie3jAG:/R6NQPsCZt3YYgZbUj0jX

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4908	setup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e\\setup.exe"	setup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e\\setup.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3ee51a7e\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\WOW6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4908	setup.exe
4908	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4908	2700	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	79
PID 2700 wrote to memory of 4908	2700	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	79
PID 2700 wrote to memory of 4908	2700	99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe	79

C:\Users\Admin\AppData\Local\Temp\99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe
"C:\Users\Admin\AppData\Local\Temp\99ebfb872d9876925f166cb8aed920cf9a8bf23e549b808afa1aa59448a75c63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\3ee51a7e\setup.exe
  "C:\Users\Admin\AppData\Local\Temp/3ee51a7e/setup.exe" ProfileFileName=step0.ini
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\boot.dat

Filesize
1KB

MD5
006bb5d4955e8b539afc413eb10c183b

SHA1
2f7e9309271048f4beecddd3632c422d4ca19852

SHA256
136472a8f1212856a24f158aac4a9ec48e9109b025c984e3988c5a8cfcfe8837

SHA512
5e454355f1b2103973595eb8a5d01979405eb802a659fa13b890d032fff1321e5919c989bd4bd4cdd97d85d96851f8bbddeaa4485983eca8fc12482dcd805da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\installer-config.dat

Filesize
4KB

MD5
9e81bb82a1ae6e9323fdc1d46a561904

SHA1
32de2c2c79b5a849e3a967e653ce372ae10a0142

SHA256
a8218daa14622cd1cd7e822c74aa686f87e0afca9ee41eb48d2ef8cc29add5ea

SHA512
10e356fe68090713ed85002c2a1f8afc52dcc06744c44cf0266b730089c05ac312640b92b66c086d4f1fbb8609fdeb4b34e393f32f11fafdfdadafa216cb83c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\installer.dat

Filesize
34KB

MD5
545390d29b63954b7a3bdc5da8d5761d

SHA1
4d2a227fee05d6682f718fcb567825f4a04d2aa7

SHA256
90814e67da7cfb0826937ec935562d6f8663b64159ee8f9bd3dbc71cbe263c26

SHA512
bbf0869b4143fcb095e8d7f7dcc8dc2ae8ab6899317072f1af94ae51d393e583071cd4c96dd398c649747f0a072f664f825422a25457fec13809ce77b2212521

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\new-screen.dat

Filesize
2KB

MD5
a569b2637d244040df5c07207724e5b5

SHA1
64bc7873c74e40ab794f4a49aa01079a70d00094

SHA256
081f00d28a89b52810e9f468719d2b3aa6aafbe81770cc658b63019d7166d511

SHA512
011a72ac621f84dbdf906c96e81c99d43c0476047261eeb31bd2679eba76eecf3bced3c2ebe7db5e1b9f6a46b4146151668b071f7597e866bffb2a7abb55bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\step0.ini

Filesize
16KB

MD5
ed22eba9af454e23da4297d8fc9764c3

SHA1
04f8b9105f0e09b12b23c9c40daab07aff95a0e1

SHA256
083fc2a999c9379d5d7a124f66315dbdc18ea5971537b71409c8bfb73c83ebf9

SHA512
dadef066496a4b64851a0559abde35e9ecf3d035f9db857883ec656f9c0a0cbec9a50225c0211cd6c484b8f3c93951dbc6275457a9ba85b72fa1100d927fd295

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\installer\step0.ini

Filesize
996B

MD5
0f0a89d9031f0b44f1efaca75002079a

SHA1
ac083a8a00c48ebd3fd3480edb9a2d68eb08dc2e

SHA256
e5e6709e6d06bca797a52d17792be27e729f75b635112f1bc64f6079a708ea8d

SHA512
f1b8fc572454dc6ee8af11561f7c14aecf47f1aa17a4acb149f6decef031d7ad5ec87c0e8d13a645313f77d613ad3dacb6edde56c4f22f3b90984d778177e818

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee51a7e\setup.exe

Filesize
1.3MB

MD5
09814f775da3cb93cda28b18bacc1f98

SHA1
eeaf8388bba468f5317ff24a781d7257f891ee71

SHA256
4f98d731e973311f13c6c9f214624068d9eb83290de5422e0218ddd81dbb7432

SHA512
b81bd9bb1c56f5a9e03196d754833a1dc90cf260c2f040c8e0933c24f23ac011cbb74e9864d8b3a15a6509371ce5f59c64b7dac64b3148a02c7c69bc7f33c539

Download Submit