d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560

Analysis

max time kernel
163s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
Size

261KB
MD5

40bacc2a14f96df432eaf6427353a84d
SHA1

725676d96a957828af4f8b8d77ea31a5ddb8082b
SHA256

d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560
SHA512

acca8e6e9c971e4195c0f43e97ff5d37fdd04ede934b904ca3489898f23d869bf1cd56c24917d080b003d13ce2ed319b54789e7ccc90121e24abafcb227bce04
SSDEEP

3072:8Z/S0A2TcuWTnTn43rXCxOoeiJFu/xCGHZMUBjlW7U2xQ8zEOC11jry:uTtm2W4oX0CG+EIvi8zA11H

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2164	udnie.exe
4804	udnie.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	udnie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Udnie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ecor\\udnie.exe"	udnie.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 2164 set thread context of 4804	2164	udnie.exe	86

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
2008	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe
4804	udnie.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 4740 wrote to memory of 2008	4740	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	84
PID 2008 wrote to memory of 2164	2008	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	85
PID 2008 wrote to memory of 2164	2008	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	85
PID 2008 wrote to memory of 2164	2008	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	85
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 2164 wrote to memory of 4804	2164	udnie.exe	86
PID 4804 wrote to memory of 2456	4804	udnie.exe	45
PID 4804 wrote to memory of 2456	4804	udnie.exe	45
PID 4804 wrote to memory of 2456	4804	udnie.exe	45
PID 4804 wrote to memory of 2456	4804	udnie.exe	45
PID 4804 wrote to memory of 2456	4804	udnie.exe	45
PID 4804 wrote to memory of 2532	4804	udnie.exe	44
PID 4804 wrote to memory of 2532	4804	udnie.exe	44
PID 4804 wrote to memory of 2532	4804	udnie.exe	44
PID 4804 wrote to memory of 2532	4804	udnie.exe	44
PID 4804 wrote to memory of 2532	4804	udnie.exe	44
PID 4804 wrote to memory of 2788	4804	udnie.exe	41
PID 4804 wrote to memory of 2788	4804	udnie.exe	41
PID 4804 wrote to memory of 2788	4804	udnie.exe	41
PID 4804 wrote to memory of 2788	4804	udnie.exe	41
PID 4804 wrote to memory of 2788	4804	udnie.exe	41
PID 4804 wrote to memory of 2704	4804	udnie.exe	39
PID 4804 wrote to memory of 2704	4804	udnie.exe	39
PID 4804 wrote to memory of 2704	4804	udnie.exe	39
PID 4804 wrote to memory of 2704	4804	udnie.exe	39
PID 4804 wrote to memory of 2704	4804	udnie.exe	39
PID 4804 wrote to memory of 2904	4804	udnie.exe	38
PID 4804 wrote to memory of 2904	4804	udnie.exe	38
PID 4804 wrote to memory of 2904	4804	udnie.exe	38
PID 4804 wrote to memory of 2904	4804	udnie.exe	38
PID 4804 wrote to memory of 2904	4804	udnie.exe	38
PID 4804 wrote to memory of 3264	4804	udnie.exe	37
PID 4804 wrote to memory of 3264	4804	udnie.exe	37
PID 4804 wrote to memory of 3264	4804	udnie.exe	37
PID 4804 wrote to memory of 3264	4804	udnie.exe	37
PID 4804 wrote to memory of 3264	4804	udnie.exe	37
PID 4804 wrote to memory of 3364	4804	udnie.exe	36
PID 4804 wrote to memory of 3364	4804	udnie.exe	36
PID 4804 wrote to memory of 3364	4804	udnie.exe	36
PID 4804 wrote to memory of 3364	4804	udnie.exe	36
PID 4804 wrote to memory of 3364	4804	udnie.exe	36
PID 4804 wrote to memory of 3428	4804	udnie.exe	11
PID 4804 wrote to memory of 3428	4804	udnie.exe	11
PID 4804 wrote to memory of 3428	4804	udnie.exe	11
PID 4804 wrote to memory of 3428	4804	udnie.exe	11
PID 4804 wrote to memory of 3428	4804	udnie.exe	11
PID 4804 wrote to memory of 3516	4804	udnie.exe	35
PID 4804 wrote to memory of 3516	4804	udnie.exe	35
PID 4804 wrote to memory of 3516	4804	udnie.exe	35

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1044

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1456

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1472

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:5092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2704
- C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
  "C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
    "C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe
      "C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ACSF21E.bat"
      4⤵
      PID:2372
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:208

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2532

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2456

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:620

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACSF21E.bat

Filesize
278B

MD5
076a8f3d2cbde60323b794a813d0ce98

SHA1
6d4f0657795ad9ebc7166f053c8a9c38c2abd60a

SHA256
c3b1997509a977723e378769ec10cacb293873b486686c8ea034de23e30e74be

SHA512
b650973469a7e6fa14ee3a15e851287ff324fefec55bc14627baa6f4d2946d653a2f3ae689ffe596094956d5425a2890906cd8d19af354f120ff51948373dee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe

Filesize
261KB

MD5
be6d88380b0e5127aef49aeab7d1fcc2

SHA1
b71eb31e053434ab8642175d7e6b24b4553de389

SHA256
c3b8025c5eb7b5b6c1a920dc6347d4760cca16a523a46135b3822a54fbd120c1

SHA512
ff035be741335c2d459188d70f269e08ea856d5247dda2b0331b5494c003dd5ca461f2b48c76c636eee5635cfcf2c43070c2687ce9f687b8bdf22a99176e92cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe

Filesize
261KB

MD5
be6d88380b0e5127aef49aeab7d1fcc2

SHA1
b71eb31e053434ab8642175d7e6b24b4553de389

SHA256
c3b8025c5eb7b5b6c1a920dc6347d4760cca16a523a46135b3822a54fbd120c1

SHA512
ff035be741335c2d459188d70f269e08ea856d5247dda2b0331b5494c003dd5ca461f2b48c76c636eee5635cfcf2c43070c2687ce9f687b8bdf22a99176e92cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecor\udnie.exe

Filesize
261KB

MD5
be6d88380b0e5127aef49aeab7d1fcc2

SHA1
b71eb31e053434ab8642175d7e6b24b4553de389

SHA256
c3b8025c5eb7b5b6c1a920dc6347d4760cca16a523a46135b3822a54fbd120c1

SHA512
ff035be741335c2d459188d70f269e08ea856d5247dda2b0331b5494c003dd5ca461f2b48c76c636eee5635cfcf2c43070c2687ce9f687b8bdf22a99176e92cc

Download Submit
memory/2008-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2164-147-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/2372-151-0x0000000000600000-0x0000000000642000-memory.dmp

Filesize
264KB

Download
memory/4740-137-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4740-132-0x0000000074D70000-0x0000000075321000-memory.dmp

Filesize
5.7MB

Download
memory/4804-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download