Analysis
-
max time kernel
165s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe
Resource
win10v2004-20221111-en
General
-
Target
479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe
-
Size
7.7MB
-
MD5
626ca3c805656cb224a8979d8f3a5759
-
SHA1
ab79aa8261643739c6eb2810747fdf6fde5bef72
-
SHA256
479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731
-
SHA512
d1e2b853d1736a8ab61ab880f78417c311ddb27a59695cbb3fc2314f46c7c51b8dbbb1b45b610f913ee9ebf292da56a54ba71471f7bade6159275a7bc423b21f
-
SSDEEP
196608:Lvi5h13yOdMV67aojkDkxCf0LgHSKDx96bwMhphUrBrPfg4:O5j3yO/aoJFgHSKDx0bvparBjfg4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
baprar.exefree.exepid process 1360 baprar.exe 4480 free.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
baprar.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\free\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\2700.tmp\\free.sys" baprar.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\baprar\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\2700.tmp\\baprar.sys" baprar.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2700.tmp\free.exe vmprotect C:\Users\Admin\AppData\Local\Temp\2700.tmp\free.exe vmprotect behavioral2/memory/4480-139-0x00007FF7869B0000-0x00007FF78740F000-memory.dmp vmprotect behavioral2/memory/4480-142-0x00007FF7869B0000-0x00007FF78740F000-memory.dmp vmprotect behavioral2/memory/4480-143-0x00007FF7869B0000-0x00007FF78740F000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
free.exepid process 4480 free.exe 4480 free.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
baprar.exepid process 1360 baprar.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
baprar.exefree.exedescription pid process Token: SeLoadDriverPrivilege 1360 baprar.exe Token: SeDebugPrivilege 4480 free.exe Token: SeLoadDriverPrivilege 4480 free.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.execmd.exedescription pid process target process PID 3284 wrote to memory of 3112 3284 479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe cmd.exe PID 3284 wrote to memory of 3112 3284 479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe cmd.exe PID 3112 wrote to memory of 1360 3112 cmd.exe baprar.exe PID 3112 wrote to memory of 1360 3112 cmd.exe baprar.exe PID 3112 wrote to memory of 4480 3112 cmd.exe free.exe PID 3112 wrote to memory of 4480 3112 cmd.exe free.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe"C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2700.tmp\2701.tmp\2702.bat C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\baprar.exebaprar.exe baprar.sys free.sys3⤵
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\free.exefree.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\2701.tmp\2702.batFilesize
67B
MD560dd9f76d5186c9529b030698147ecf4
SHA1e9a7be9e9872bdea320dd108976dd33dff0686d1
SHA256426fdf4e211c2a786ea51695a784babe5bcf59e5f72e796ec89b0a6c40e1ea03
SHA5127fef023ab66172510c8516f7e8e24e494e17a8b973d7c8b080c2e95093452c281230e70a89876cea0d210ad1f7d0d0fbe7a84a840810509d9706cd90e2e87d5e
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\baprar.exeFilesize
20KB
MD5104d16826db9b10ed83dd119e410b9f5
SHA1f8f0468abaf481ab9590e7dd65f8c2ca3baf2aea
SHA2569a097103785ddea1e9db97c2ac74347997913e705b0564be870c44704c36b604
SHA512995babfb10713a422ba21fb009c394eb08ec06ca4394923d3efce37b3ca6fa18ef54563a17c2a503df12fbe8332bfb4b1808ba652b0e893556a4499898faab81
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\free.exeFilesize
5.6MB
MD5093d03dba3010b8a0085e6477460f3d8
SHA1bcf0aae36f38ff5bb2105ad7532c669986566a09
SHA256f17d046c287609b896807b483450be5461bc03bce7a0ece44866141168fa1342
SHA512b6a885d5dc34e5d59db68f6176af270aed979c379ca5c8ade0530f8eeccce5caa42f58feee4cbcacf5798938dd56bf69e4ca373c60663e305200de007111809d
-
C:\Users\Admin\AppData\Local\Temp\2700.tmp\free.exeFilesize
5.6MB
MD5093d03dba3010b8a0085e6477460f3d8
SHA1bcf0aae36f38ff5bb2105ad7532c669986566a09
SHA256f17d046c287609b896807b483450be5461bc03bce7a0ece44866141168fa1342
SHA512b6a885d5dc34e5d59db68f6176af270aed979c379ca5c8ade0530f8eeccce5caa42f58feee4cbcacf5798938dd56bf69e4ca373c60663e305200de007111809d
-
memory/1360-134-0x0000000000000000-mapping.dmp
-
memory/3112-132-0x0000000000000000-mapping.dmp
-
memory/4480-136-0x0000000000000000-mapping.dmp
-
memory/4480-139-0x00007FF7869B0000-0x00007FF78740F000-memory.dmpFilesize
10.4MB
-
memory/4480-142-0x00007FF7869B0000-0x00007FF78740F000-memory.dmpFilesize
10.4MB
-
memory/4480-143-0x00007FF7869B0000-0x00007FF78740F000-memory.dmpFilesize
10.4MB