453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729

Analysis

max time kernel
61s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
Size

1.5MB
MD5

c2735466f57519e6dfa62ebc6bfab929
SHA1

72cf9a399d3ce85f85a5999b452d09ccee8a28ee
SHA256

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729
SHA512

75afb44e470f041b1539c039a9c1769e771c95a0e5d96b9c99ad0fac0587748ff98930236310ae371836e9c0b6a23042cb79462529bdc65d6a5234b38dd8db35
SSDEEP

49152:lkwkn9IMHeauPlNh6HIHjRZ1bs/mNsolCsaPCS:ednVgNEoD+NPC

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe"	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.dyndns.org

flow	ioc
10	checkip.dyndns.org

Drops file in Windows directory 8 IoCs

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

description	ioc	process
File created	\??\c:\windows\fb\vimeo\bckgr.jpg	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File opened for modification	\??\c:\windows\fb\vimeo\bckgr.jpg	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File created	\??\c:\windows\fb\217.gif	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File opened for modification	\??\c:\windows\fb\217.gif	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File created	\??\c:\windows\fb\vimeo\service.ini	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File opened for modification	\??\c:\windows\fb\vimeo\service.ini	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File created	\??\c:\windows\fb\vimeo\names_lib.txt	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
File opened for modification	\??\c:\windows\fb\vimeo\names_lib.txt	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

pid	process
1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

pid process

1884 453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

description	pid	process
Token: 33	1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
Token: SeIncBasePriorityPrivilege	1884	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe

C:\Users\Admin\AppData\Local\Temp\453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe
"C:\Users\Admin\AppData\Local\Temp\453fd5ec6d26370d891279af2abe43301c47ceaf8ff4c7a448192468e23dc729.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads