fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642

Analysis

max time kernel
11s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Size

376KB
MD5

344445e567c46fa7afb6a53bfb13ac3f
SHA1

d610a4649d9c47fb2efe12b16158ba5262398bdd
SHA256

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642
SHA512

537205e5ad00625eebad5dddeda4b2cceb228be09d6a4209e9fb5b490560ffcb86fe280235ca37653fb8df94463aad6a30b5062a3a661c9826f5c12f61a92f63
SSDEEP

6144:KAwhHMZ1iPD9TRvA6HRpLCd2+CavQFX152HhPtH:K/hi1ipTu6xwpIFD2Ft

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid process

3436 fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AaheKepv = "regsvr32.exe \"C:\\ProgramData\\AaheKepv\\AaheKepv.dat\""	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Modifies registry class 2 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{656875D9-084C-4BCD-BE2F-0809006F3A86}	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{656875D9-084C-4BCD-BE2F-0809006F3A86}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c666363613430386564386435316263356662383839303662323165633232336132376464663237396432613666303538396163353733356330643738653634322e65786500	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

pid	process
3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	pid	process
Token: SeCreateGlobalPrivilege	3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
Token: SeDebugPrivilege	3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe

description	pid	process	target process
PID 3436 wrote to memory of 760	3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	fontdrvhost.exe
PID 3436 wrote to memory of 760	3436	fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe
"C:\Users\Admin\AppData\Local\Temp\fcca408ed8d51bc5fb88906b21ec223a27ddf279d2a6f0589ac5735c0d78e642.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AaheKepv\AaheKepv.dat

Filesize
253KB

MD5
b4b7a9a783dbe7cc2bb0559ca9d48d58

SHA1
55e7adb825f6ef6c61494e19efaf9027f6f8a6cc

SHA256
0102c0f39d8c7843cd734cec173c36d03218f5f08d52a30635dbb2aa77674806

SHA512
76b0bd2217fb8207baaf752180c001a2ec2f3436c594d37a7c2e8305806168d92559bd3fe544950425d9af55786626800aecc3e154daef5c1a86f46a260bb7ba

Download Submit
memory/3436-132-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3436-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-136-0x0000000074F50000-0x0000000074F83000-memory.dmp

Filesize
204KB

Download