83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614

Analysis

max time kernel
165s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Size

168KB
MD5

ecc8daa9c96bd99c1419ebeea32b1b67
SHA1

c3f4924a4f5e03f9016381869e9d1b7e35a5d5ec
SHA256

83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614
SHA512

cfd64fc43dba20252db55e2f11c107aed10ff3ace8500f7dd679f1ca75d149f39cbd5669fb2dfdb2c7cb9326e000a90800866724057a924174b4c888fadfd60f
SSDEEP

3072:7Lg95BKAUeKMKk4oIOA2CY1Qrz4+JSVwGj9vjjZ4FKtkN6EWwKXWH+/snyJs/xuz:7Lg95tUbk7IOFyrcHVwGJLl4FJN5SmHt

Score

8^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8dceb85e-8508-ee5b-cccc-98a6b145e6ef}\\n."	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{8dceb85e-8508-ee5b-cccc-98a6b145e6ef}\\n."	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\clsid	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Token: SeDebugPrivilege	4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
Token: SeDebugPrivilege	4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2804	4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe	37
PID 4192 wrote to memory of 2804	4192	83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2804
- C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe
  "C:\Users\Admin\AppData\Local\Temp\83baf992a37a10a99b6f5cfc9b9ae2600fff57248fb584590f8c04fc9c52c614.exe"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2804-134-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/4192-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4192-133-0x0000000002050000-0x0000000002086000-memory.dmp

Filesize
216KB

Download
memory/4192-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download