e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d

Analysis

max time kernel
40s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe
Size

502KB
MD5

e9aacff08be163162dd01acaf2fe9e76
SHA1

430d77ec921c55bb03fd37716b96aee6992393df
SHA256

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d
SHA512

585c135c010766acf261c4db360bbc6f0625df4cbfb6b67edc0334fea625949e1568f9241f7dc3bcca2a6b2f2ce4b87215200b89cde42c74698be581bfe12853
SSDEEP

6144:vwpJeUzgDpp405g9D2SEu5901EpH+K3mME48D/QV07zvnNeMwt:YpJD8DppJ5gEijxpC44O0H1eDt

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

pid process

4492 e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

pid	process
4492	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FigeyGupne = "regsvr32.exe \"C:\\ProgramData\\FigeyGupne\\FigeyGupne.dat\""	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

Modifies registry class 2 IoCs

Processes:

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{3E265648-41F0-4D39-814E-213413441538}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c653834333134626438653664313663356637353963353239356231353631666139633030306362336565353934646661376236646363346662346162623238642e65786500	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{3E265648-41F0-4D39-814E-213413441538}	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

description	pid	process
Token: SeCreateGlobalPrivilege	4492	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe
Token: SeDebugPrivilege	4492	e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe

C:\Users\Admin\AppData\Local\Temp\e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe
"C:\Users\Admin\AppData\Local\Temp\e84314bd8e6d16c5f759c5295b1561fa9c000cb3ee594dfa7b6dcc4fb4abb28d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FigeyGupne\FigeyGupne.dat

Filesize
276KB

MD5
9f377051e601536bcaa0afcf611210e8

SHA1
acdf08c2913652d3b4dafd776c8e2ede524d527d

SHA256
e553b2f14c570fe458201284498ab5d78cbc7ca0dbaee7be322abdcde9868cbc

SHA512
ac79ce3ec7a128c4333122a00d85a828bfad4e895fce3719ee43f4d3379351cde9f2d42be3b4297e5ff6e99fd2178b9a68569ab21d5f9ade0b354e59cb08afe3

Download Submit
memory/4492-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4492-133-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4492-136-0x0000000010000000-0x000000001006E000-memory.dmp

Filesize
440KB

Download
memory/4492-137-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download