9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0

Analysis

max time kernel
47s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Size

409KB
MD5

35f9fc3d8ca341cd6f65189ce25be1c2
SHA1

cae0189d23c3b22bd0971fc0d194d88b59ce52bb
SHA256

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0
SHA512

edabaceb82deb52048d85459b40f52f9ae3d5024aeb0a9461572b07a360cf8a78c0f488aa374c0208249cdfef437f1ca9e9d2a2f77ebe726df291aa3a2d56e87
SSDEEP

6144:YxFnLbgMJRd37/E/NsOdh+vTt7a6TNAVYkDHARU7fXCwXD93FSEqOoNvexyg:Yx1gMrdAxdkvTdT23gRULvSEINvRg

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid process

2960 9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SameTafo = "regsvr32.exe \"C:\\ProgramData\\SameTafo\\SameTafo.dat\""	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Modifies registry class 2 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{6FDF7F7A-5193-49B9-8266-6FB231C31DDE}	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{6FDF7F7A-5193-49B9-8266-6FB231C31DDE}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c393437316161313361633266653531343366363838613835636261636233663063653137393834353965353330613266393934623439623533323439623463302e65786500	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

pid	process
2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	pid	process
Token: SeCreateGlobalPrivilege	2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
Token: SeDebugPrivilege	2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe

description	pid	process	target process
PID 2960 wrote to memory of 772	2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	fontdrvhost.exe
PID 2960 wrote to memory of 772	2960	9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe
"C:\Users\Admin\AppData\Local\Temp\9471aa13ac2fe5143f688a85cbacb3f0ce1798459e530a2f994b49b53249b4c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SameTafo\SameTafo.dat

Filesize
276KB

MD5
1e74f0a3622261ab8072cd76f5f7bd89

SHA1
a534edb09915f95065d0f8379a18926583695715

SHA256
27ff45f4358c0f3ebb775fcbf205f785d24fb0070ffb04fc3ee24d83c1b1bb0e

SHA512
cb40f6c8b04d75a1b13ee48887e861a324bdc7a496a2cd83954a71af2d0dd5644532b3d4e5d2c377c5d87b02041736b5f9f0f59c6d08c21abf29f9cef5504fe0

Download Submit
memory/2960-132-0x00000000022D0000-0x00000000022F5000-memory.dmp

Filesize
148KB

Download
memory/2960-133-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2960-135-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download