913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb

Analysis

max time kernel
6s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Size

369KB
MD5

b34f2b9affb33bfd5b0e614c98bc864f
SHA1

110b70ff3fe487de75344e1635752b5b850f7286
SHA256

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb
SHA512

64a4c5f40ee84041a576f288d834a76a9b94ebf0b5081cd07576493d6cbb1cf82ea2411e5997e9f161d2890b4b25a9373061765a0d1af7a353d9511165801b6c
SSDEEP

6144:PNlwo1G9mdL7G8Oi0Fb2GuIKlbaTSPfYq5c+ClSTAVVD3s3G:PNBumZh09g/gqbiK

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

pid process

1848 913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FudkaDrabu = "regsvr32.exe \"C:\\ProgramData\\FudkaDrabu\\FudkaDrabu.dat\""	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

Modifies registry class 2 IoCs

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{70D72ED6-49C4-472B-BD94-62ED1BD43E3B}	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{70D72ED6-49C4-472B-BD94-62ED1BD43E3B}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c393133623134636639313838373932306634393464303966666163356339623139393237663533326562353332353432373966396238646465316332373865622e65786500	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

pid	process
1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

description	pid	process
Token: SeCreateGlobalPrivilege	1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
Token: SeDebugPrivilege	1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe

description	pid	process	target process
PID 1848 wrote to memory of 796	1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe	fontdrvhost.exe
PID 1848 wrote to memory of 796	1848	913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe
"C:\Users\Admin\AppData\Local\Temp\913b14cf91887920f494d09ffac5c9b19927f532eb53254279f9b8dde1c278eb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FudkaDrabu\FudkaDrabu.dat
Filesize
252KB

MD5
3a678acae920d7d7c28128eab541a80b

SHA1
857f960a3ee0db307b248f264e4bb02c4b4861e0

SHA256
80f5f0489f8080e5dfd955e6235210bba61c7ca8cb0a1457c328ed11cd5a9431

SHA512
d35ca5295435e230b0e3f2c364e9396e806aadb10e3032d1a35f5dde31689c60d0c2aad3d3eb4acae4b932c1ae734c8cdea735fe3a2b90378f11ae6cbba4809c

Download Submit
memory/1848-132-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1848-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-136-0x0000000075200000-0x0000000075268000-memory.dmp

Filesize
416KB

Download
memory/1848-137-0x0000000075200000-0x0000000075233000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads