e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1

Analysis

max time kernel
45s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Size

534KB
MD5

6b97b75dd6eb688db2934f2250ecc9f8
SHA1

49fc3a3e3164f8bae7eae1069b11fb99ec74fab2
SHA256

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1
SHA512

6c377d76fe46f67ff97ed660b3c32140ddb4501dce08ecd1f783a0905a4eec2a689df2d010d6b83e4dfb0c1de84375d65674b937c7fc0d1823cbf09352bfa75a
SSDEEP

12288:1JZ7H7AQTmNBt8XlBLglAfNpQofcyw35139Gu:Vz7AQKNBtm/QoUN3A

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid process

2204 e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UuxfIwopp = "regsvr32.exe \"C:\\ProgramData\\UuxfIwopp\\UuxfIwopp.dat\""	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Modifies registry class 2 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{20EA0F00-77AD-4386-B24B-433F3C0D6454}	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{20EA0F00-77AD-4386-B24B-433F3C0D6454}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c653231366163303664306664653761346534633862353736343164396436663239323930333935333765336235333734356137373633353466353938666164312e65786500	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

pid	process
2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	pid	process
Token: SeCreateGlobalPrivilege	2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
Token: SeDebugPrivilege	2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe

description	pid	process	target process
PID 2204 wrote to memory of 752	2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	fontdrvhost.exe
PID 2204 wrote to memory of 752	2204	e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe	fontdrvhost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe
"C:\Users\Admin\AppData\Local\Temp\e216ac06d0fde7a4e4c8b57641d9d6f2929039537e3b53745a776354f598fad1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UuxfIwopp\UuxfIwopp.dat
Filesize
230KB

MD5
db5b4f5393ccac3c258ff3ef2426cf9f

SHA1
663850789045684209da01d5d752a0b34304e3b7

SHA256
05ce901af1a0ae28f0a20dda1c34c808eb7a4422fe7a9cb638cb097e7cacafaf

SHA512
a73c07af8a14f9be737890bed1e53a7a610726bb6636bc88f06383e84df5917a21a1238c3bc1c53e100ea3d78a7b6e8e5b77b1802319a658dcaa6ac6e6793154

Download Submit
memory/2204-132-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2204-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-136-0x0000000074560000-0x0000000074593000-memory.dmp

Filesize
204KB

Download