22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e

General

Target

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
Size

158KB
MD5

0f5787843f85e57c234f9a8eea3b5d17
SHA1

05d9981fd75129980ac61d67ef9f94c62d001f48
SHA256

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e
SHA512

127fc1cbfe82e6d56971eab0b8c9bccfe7558849eb1e58b9c0e52e371d4ef20ce51b303ba968bdb750dc4e8a36cc1f4e6f7bfe601f58a785f2f139b6f71c7040
SSDEEP

3072:zLXk0tzeGD5/plkS1KXkqYqw3/NaSMuNbZdd0CLYA/qvbROp/:00tz3DSaKOqs13M+ZdtLYA6i

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

edavab.exeedavab.exe

pid process

324 edavab.exe
1396 edavab.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1780 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

992 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

pid process

1368 22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

pid	process
324	edavab.exe
1396	edavab.exe

pid	process
1780	netsh.exe

pid	process
992	cmd.exe

pid	process
1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

edavab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	edavab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{24661919-3D76-2F42-34C2-DA48159D2F00} = "C:\\Users\\Admin\\AppData\\Roaming\\Kebenyx\\edavab.exe"	edavab.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exeedavab.exe

description	pid	process	target process
PID 1992 set thread context of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 324 set thread context of 1396	324	edavab.exe	edavab.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

edavab.exe

pid	process
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe
1396	edavab.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

description pid process

Token: SeSecurityPrivilege 1368 22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

description	pid	process
Token: SeSecurityPrivilege	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.execmd.exeedavab.exeedavab.exe

description	pid	process	target process
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1992 wrote to memory of 1368	1992	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
PID 1368 wrote to memory of 664	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 664	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 664	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 664	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 324	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	edavab.exe
PID 1368 wrote to memory of 324	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	edavab.exe
PID 1368 wrote to memory of 324	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	edavab.exe
PID 1368 wrote to memory of 324	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	edavab.exe
PID 664 wrote to memory of 1780	664	cmd.exe	netsh.exe
PID 664 wrote to memory of 1780	664	cmd.exe	netsh.exe
PID 664 wrote to memory of 1780	664	cmd.exe	netsh.exe
PID 664 wrote to memory of 1780	664	cmd.exe	netsh.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 324 wrote to memory of 1396	324	edavab.exe	edavab.exe
PID 1368 wrote to memory of 992	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 992	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 992	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1368 wrote to memory of 992	1368	22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe	cmd.exe
PID 1396 wrote to memory of 1108	1396	edavab.exe	taskhost.exe
PID 1396 wrote to memory of 1108	1396	edavab.exe	taskhost.exe
PID 1396 wrote to memory of 1108	1396	edavab.exe	taskhost.exe
PID 1396 wrote to memory of 1108	1396	edavab.exe	taskhost.exe
PID 1396 wrote to memory of 1108	1396	edavab.exe	taskhost.exe
PID 1396 wrote to memory of 1188	1396	edavab.exe	Dwm.exe
PID 1396 wrote to memory of 1188	1396	edavab.exe	Dwm.exe
PID 1396 wrote to memory of 1188	1396	edavab.exe	Dwm.exe
PID 1396 wrote to memory of 1188	1396	edavab.exe	Dwm.exe
PID 1396 wrote to memory of 1188	1396	edavab.exe	Dwm.exe
PID 1396 wrote to memory of 1248	1396	edavab.exe	Explorer.EXE
PID 1396 wrote to memory of 1248	1396	edavab.exe	Explorer.EXE
PID 1396 wrote to memory of 1248	1396	edavab.exe	Explorer.EXE
PID 1396 wrote to memory of 1248	1396	edavab.exe	Explorer.EXE
PID 1396 wrote to memory of 1248	1396	edavab.exe	Explorer.EXE
PID 1396 wrote to memory of 1812	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1812	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1812	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1812	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1812	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 944	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 944	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 944	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 944	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 944	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1052	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1052	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1052	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1052	1396	edavab.exe	DllHost.exe
PID 1396 wrote to memory of 1052	1396	edavab.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
"C:\Users\Admin\AppData\Local\Temp\22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
C:\Users\Admin\AppData\Local\Temp\22263fcaf8f353da2f9c444047f5571fa86a0d01b492ebff0a9958d3d82e936e.exe
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp270e04c9.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe"
5⤵
- Modifies Windows Firewall
PID:1780

C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
"C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa2adea86.bat"
4⤵
- Deletes itself
PID:992

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp270e04c9.bat
Filesize
203B

MD5
7cdda5cfb1532c34119e6dae9da5ca4d

SHA1
46d2f6626ff67d9820bbea0ea8b34526b7f15cc0

SHA256
4c1f402645324970e56ac2b2307a48607ef1495268737764a369b4e3f53c3912

SHA512
b23c84061a0d15443d0494292568fe6699374ea44de84d219b48b9843ca23eb6e30888b2488c415aefcfd8aafcfc267bb5d304d5858536587c7a36be96fc628e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa2adea86.bat
Filesize
307B

MD5
f68414d0c224e9f3df0338db615cf2da

SHA1
d3b392aa5f34255a0124fa6fc37a8b68c9b3a8ed

SHA256
4d85c4ac3d9697d06ce95c715038d7a43c875fed869d79a8328b906c9962c0cc

SHA512
ad21cfb944f7cd41295483b7e966f133b7d6489e879a5d51a123ac37d332dab54f7bf21ba22ad0733d11a26366dcc6323ed9225b75fb2612be3f94ade1f61d9b

Download Submit
C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
Filesize
158KB

MD5
d1ea6adef1bdac584eae5176445a6d8a

SHA1
80cc0f03b1a943ee27f63e88d2bbdfab9b389278

SHA256
d4e79c12d58d249272ff153e04c2d6dab065b6879233e7e6f8328eadbaf37622

SHA512
eb24027fafe4fdd57b1fb7a3e77d803776e18af7a2c7802f8f016deeedcf329d6071b5e45f5e146889f4f52df7d62de290583e4b4bbe6fdb2d9e002c75e6cf98

Download Submit
C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
Filesize
158KB

MD5
d1ea6adef1bdac584eae5176445a6d8a

SHA1
80cc0f03b1a943ee27f63e88d2bbdfab9b389278

SHA256
d4e79c12d58d249272ff153e04c2d6dab065b6879233e7e6f8328eadbaf37622

SHA512
eb24027fafe4fdd57b1fb7a3e77d803776e18af7a2c7802f8f016deeedcf329d6071b5e45f5e146889f4f52df7d62de290583e4b4bbe6fdb2d9e002c75e6cf98

Download Submit
C:\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
Filesize
158KB

MD5
d1ea6adef1bdac584eae5176445a6d8a

SHA1
80cc0f03b1a943ee27f63e88d2bbdfab9b389278

SHA256
d4e79c12d58d249272ff153e04c2d6dab065b6879233e7e6f8328eadbaf37622

SHA512
eb24027fafe4fdd57b1fb7a3e77d803776e18af7a2c7802f8f016deeedcf329d6071b5e45f5e146889f4f52df7d62de290583e4b4bbe6fdb2d9e002c75e6cf98

Download Submit
\Users\Admin\AppData\Roaming\Kebenyx\edavab.exe
Filesize
158KB

MD5
d1ea6adef1bdac584eae5176445a6d8a

SHA1
80cc0f03b1a943ee27f63e88d2bbdfab9b389278

SHA256
d4e79c12d58d249272ff153e04c2d6dab065b6879233e7e6f8328eadbaf37622

SHA512
eb24027fafe4fdd57b1fb7a3e77d803776e18af7a2c7802f8f016deeedcf329d6071b5e45f5e146889f4f52df7d62de290583e4b4bbe6fdb2d9e002c75e6cf98

Download Submit
memory/324-69-0x0000000000000000-mapping.dmp

Download
memory/664-67-0x0000000000000000-mapping.dmp

Download
memory/944-119-0x0000000001CF0000-0x0000000001D17000-memory.dmp

Filesize
156KB

Download
memory/944-117-0x0000000001CF0000-0x0000000001D17000-memory.dmp

Filesize
156KB

Download
memory/944-118-0x0000000001CF0000-0x0000000001D17000-memory.dmp

Filesize
156KB

Download
memory/944-120-0x0000000001CF0000-0x0000000001D17000-memory.dmp

Filesize
156KB

Download
memory/992-85-0x0000000000000000-mapping.dmp

Download
memory/1052-123-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1052-124-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1052-125-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1052-126-0x0000000000420000-0x0000000000447000-memory.dmp

Filesize
156KB

Download
memory/1108-91-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1108-92-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1108-93-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1108-94-0x0000000001B40000-0x0000000001B67000-memory.dmp

Filesize
156KB

Download
memory/1188-101-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1188-99-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1188-98-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1188-100-0x0000000001BC0000-0x0000000001BE7000-memory.dmp

Filesize
156KB

Download
memory/1248-107-0x0000000002990000-0x00000000029B7000-memory.dmp

Filesize
156KB

Download
memory/1248-106-0x0000000002990000-0x00000000029B7000-memory.dmp

Filesize
156KB

Download
memory/1248-105-0x0000000002990000-0x00000000029B7000-memory.dmp

Filesize
156KB

Download
memory/1248-104-0x0000000002990000-0x00000000029B7000-memory.dmp

Filesize
156KB

Download
memory/1368-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-86-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1368-62-0x000000000040E0F1-mapping.dmp

Download
memory/1368-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1396-82-0x000000000040E0F1-mapping.dmp

Download
memory/1396-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1780-73-0x0000000000000000-mapping.dmp

Download
memory/1812-114-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1812-113-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1812-112-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1812-111-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1992-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads