efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe
Size

308KB
MD5

46c01e4310cd73d9ae18ab5d70bab9b7
SHA1

527f48e8d02a2f688aa09a2aa47f2fa68d1c8167
SHA256

efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f
SHA512

5510c137057dbab9f81dab660f1968836e4b3a470fe9d66b38ec5b7b133fc614da1f3157566147dfd485453c35d9ffc7f4b850942e24ee59f79d4e0da75ec2ac
SSDEEP

6144:kmEom2XZSIQjJPjowgabUKBu8EBRBsOmAFS0NMk6NOrk63:lm2XliJ7Zxu8EBzV1CK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2072	keuke.exe
4052	keuke.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	keuke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	keuke.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efcaysiqn = "C:\\Users\\Admin\\AppData\\Roaming\\Idufy\\keuke.exe"	keuke.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 2072 set thread context of 4052	2072	keuke.exe	83

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe
4052	keuke.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe
Token: SeSecurityPrivilege	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe
2072	keuke.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 516 wrote to memory of 3296	516	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	80
PID 3296 wrote to memory of 2072	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	81
PID 3296 wrote to memory of 2072	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	81
PID 3296 wrote to memory of 2072	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	81
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 2072 wrote to memory of 4052	2072	keuke.exe	83
PID 4052 wrote to memory of 2360	4052	keuke.exe	48
PID 4052 wrote to memory of 2360	4052	keuke.exe	48
PID 4052 wrote to memory of 2360	4052	keuke.exe	48
PID 4052 wrote to memory of 2360	4052	keuke.exe	48
PID 4052 wrote to memory of 2360	4052	keuke.exe	48
PID 3296 wrote to memory of 4596	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	85
PID 3296 wrote to memory of 4596	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	85
PID 3296 wrote to memory of 4596	3296	efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe	85
PID 4052 wrote to memory of 2372	4052	keuke.exe	47
PID 4052 wrote to memory of 2372	4052	keuke.exe	47
PID 4052 wrote to memory of 2372	4052	keuke.exe	47
PID 4052 wrote to memory of 2372	4052	keuke.exe	47
PID 4052 wrote to memory of 2372	4052	keuke.exe	47
PID 4052 wrote to memory of 2460	4052	keuke.exe	44
PID 4052 wrote to memory of 2460	4052	keuke.exe	44
PID 4052 wrote to memory of 2460	4052	keuke.exe	44
PID 4052 wrote to memory of 2460	4052	keuke.exe	44
PID 4052 wrote to memory of 2460	4052	keuke.exe	44
PID 4052 wrote to memory of 724	4052	keuke.exe	36
PID 4052 wrote to memory of 724	4052	keuke.exe	36
PID 4052 wrote to memory of 724	4052	keuke.exe	36
PID 4052 wrote to memory of 724	4052	keuke.exe	36
PID 4052 wrote to memory of 724	4052	keuke.exe	36
PID 4052 wrote to memory of 3088	4052	keuke.exe	35
PID 4052 wrote to memory of 3088	4052	keuke.exe	35
PID 4052 wrote to memory of 3088	4052	keuke.exe	35
PID 4052 wrote to memory of 3088	4052	keuke.exe	35
PID 4052 wrote to memory of 3088	4052	keuke.exe	35
PID 4052 wrote to memory of 3284	4052	keuke.exe	34
PID 4052 wrote to memory of 3284	4052	keuke.exe	34
PID 4052 wrote to memory of 3284	4052	keuke.exe	34
PID 4052 wrote to memory of 3284	4052	keuke.exe	34
PID 4052 wrote to memory of 3284	4052	keuke.exe	34
PID 4052 wrote to memory of 3380	4052	keuke.exe	33
PID 4052 wrote to memory of 3380	4052	keuke.exe	33
PID 4052 wrote to memory of 3380	4052	keuke.exe	33
PID 4052 wrote to memory of 3380	4052	keuke.exe	33
PID 4052 wrote to memory of 3380	4052	keuke.exe	33
PID 4052 wrote to memory of 3452	4052	keuke.exe	11
PID 4052 wrote to memory of 3452	4052	keuke.exe	11
PID 4052 wrote to memory of 3452	4052	keuke.exe	11
PID 4052 wrote to memory of 3452	4052	keuke.exe	11
PID 4052 wrote to memory of 3452	4052	keuke.exe	11
PID 4052 wrote to memory of 3540	4052	keuke.exe	32
PID 4052 wrote to memory of 3540	4052	keuke.exe	32

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe
"C:\Users\Admin\AppData\Local\Temp\efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe
  "C:\Users\Admin\AppData\Local\Temp\efa404a23b3bc958a64e8fb1b254825c26d4fc44fa309e84020c7469ce67b24f.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe
    "C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe
      "C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcbdca52f.bat"
    3⤵
    PID:4596

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:724

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2372

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcbdca52f.bat

Filesize
307B

MD5
33fa5fb6b082cdad27a54e68dd66377a

SHA1
b24f6c845e58d88419cb2b34f762f44bbb2e711b

SHA256
86a203508830564272f3b63ec6249794b9f89452d4902c5fe93808f0d7be17cf

SHA512
c76efa8f05e702cd23120d6b3790e7c012d49d6a01d84934295278508f2b58acb6e33cd7c159f8c2a44a7a90ef93d3379f75d6b805a9af69c36cf198c3fb02c2

Download Submit
C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe

Filesize
308KB

MD5
a41694a64220ef119af6b3915b2c01a2

SHA1
35f31f4d71264dbc8f466bcae8ce856f063ae518

SHA256
74882a8bbf248c7e79ef7188b044e9ef416cda6f5919a273f4f40c60bd6824dc

SHA512
411d1aade0d34c5a7f8b529ef782819f95ef30fca802137c4813e9bf0fa5ae8e09e55266aaae3a7ec9d10a976e5a58d569f94a4360456af784953d7b21dda6af

Download Submit
C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe

Filesize
308KB

MD5
a41694a64220ef119af6b3915b2c01a2

SHA1
35f31f4d71264dbc8f466bcae8ce856f063ae518

SHA256
74882a8bbf248c7e79ef7188b044e9ef416cda6f5919a273f4f40c60bd6824dc

SHA512
411d1aade0d34c5a7f8b529ef782819f95ef30fca802137c4813e9bf0fa5ae8e09e55266aaae3a7ec9d10a976e5a58d569f94a4360456af784953d7b21dda6af

Download Submit
C:\Users\Admin\AppData\Roaming\Idufy\keuke.exe

Filesize
308KB

MD5
a41694a64220ef119af6b3915b2c01a2

SHA1
35f31f4d71264dbc8f466bcae8ce856f063ae518

SHA256
74882a8bbf248c7e79ef7188b044e9ef416cda6f5919a273f4f40c60bd6824dc

SHA512
411d1aade0d34c5a7f8b529ef782819f95ef30fca802137c4813e9bf0fa5ae8e09e55266aaae3a7ec9d10a976e5a58d569f94a4360456af784953d7b21dda6af

Download Submit
memory/516-134-0x00000000029E0000-0x00000000029E6000-memory.dmp

Filesize
24KB

Download
memory/3296-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-151-0x00000000021A0000-0x00000000021DB000-memory.dmp

Filesize
236KB

Download
memory/3296-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4052-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4052-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4596-154-0x0000000000510000-0x000000000054B000-memory.dmp

Filesize
236KB

Download