81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe
Size

241KB
MD5

c7c1ed4cc182307b76b3bc01253cdd06
SHA1

b5fda2a62e340b5e4e4ba509316c844ab885b35d
SHA256

81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0
SHA512

7d114b688c5f11d9f33951374dd10fb3eaa5fa826c3aaa042f6ff78daf9b7c02cbd2096b891cffa0fe0e6a17a7881d282c6da1caaf62e3790589fb5978844352
SSDEEP

3072:HDgnEdPvIvxywNCQoVeEeZaL8QwtVg6C7619nc7BSQP47n/E5pNFZHO2e0QKlPu9:scA1Cdfe4oQwtVi+TWYQQ7n/gpNTdGL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4112	ceop.exe
2052	ceop.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\Currentversion\Run	ceop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run	ceop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gougix = "C:\\Users\\Admin\\AppData\\Roaming\\Bafuoz\\ceop.exe"	ceop.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4112 set thread context of 2052	4112	ceop.exe	82

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe
2052	ceop.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe
Token: SeSecurityPrivilege	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 4760 wrote to memory of 1448	4760	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	80
PID 1448 wrote to memory of 4112	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	81
PID 1448 wrote to memory of 4112	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	81
PID 1448 wrote to memory of 4112	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	81
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 4112 wrote to memory of 2052	4112	ceop.exe	82
PID 1448 wrote to memory of 4676	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	83
PID 1448 wrote to memory of 4676	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	83
PID 1448 wrote to memory of 4676	1448	81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe	83
PID 2052 wrote to memory of 2488	2052	ceop.exe	58
PID 2052 wrote to memory of 2488	2052	ceop.exe	58
PID 2052 wrote to memory of 2488	2052	ceop.exe	58
PID 2052 wrote to memory of 2488	2052	ceop.exe	58
PID 2052 wrote to memory of 2488	2052	ceop.exe	58
PID 2052 wrote to memory of 2528	2052	ceop.exe	56
PID 2052 wrote to memory of 2528	2052	ceop.exe	56
PID 2052 wrote to memory of 2528	2052	ceop.exe	56
PID 2052 wrote to memory of 2528	2052	ceop.exe	56
PID 2052 wrote to memory of 2528	2052	ceop.exe	56
PID 2052 wrote to memory of 2784	2052	ceop.exe	51
PID 2052 wrote to memory of 2784	2052	ceop.exe	51
PID 2052 wrote to memory of 2784	2052	ceop.exe	51
PID 2052 wrote to memory of 2784	2052	ceop.exe	51
PID 2052 wrote to memory of 2784	2052	ceop.exe	51
PID 2052 wrote to memory of 2016	2052	ceop.exe	25
PID 2052 wrote to memory of 2016	2052	ceop.exe	25
PID 2052 wrote to memory of 2016	2052	ceop.exe	25
PID 2052 wrote to memory of 2016	2052	ceop.exe	25
PID 2052 wrote to memory of 2016	2052	ceop.exe	25
PID 2052 wrote to memory of 3184	2052	ceop.exe	49
PID 2052 wrote to memory of 3184	2052	ceop.exe	49
PID 2052 wrote to memory of 3184	2052	ceop.exe	49
PID 2052 wrote to memory of 3184	2052	ceop.exe	49
PID 2052 wrote to memory of 3184	2052	ceop.exe	49
PID 2052 wrote to memory of 3412	2052	ceop.exe	48
PID 2052 wrote to memory of 3412	2052	ceop.exe	48
PID 2052 wrote to memory of 3412	2052	ceop.exe	48
PID 2052 wrote to memory of 3412	2052	ceop.exe	48
PID 2052 wrote to memory of 3412	2052	ceop.exe	48
PID 2052 wrote to memory of 3500	2052	ceop.exe	27
PID 2052 wrote to memory of 3500	2052	ceop.exe	27
PID 2052 wrote to memory of 3500	2052	ceop.exe	27
PID 2052 wrote to memory of 3500	2052	ceop.exe	27
PID 2052 wrote to memory of 3500	2052	ceop.exe	27
PID 2052 wrote to memory of 3584	2052	ceop.exe	26
PID 2052 wrote to memory of 3584	2052	ceop.exe	26
PID 2052 wrote to memory of 3584	2052	ceop.exe	26
PID 2052 wrote to memory of 3584	2052	ceop.exe	26
PID 2052 wrote to memory of 3584	2052	ceop.exe	26
PID 2052 wrote to memory of 3668	2052	ceop.exe	47
PID 2052 wrote to memory of 3668	2052	ceop.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2016
- C:\Users\Admin\AppData\Local\Temp\81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe
  "C:\Users\Admin\AppData\Local\Temp\81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe
    C:\Users\Admin\AppData\Local\Temp\81eb7a1a8f2e4a01246852cab421df53e693c8c0e78612f731cb16fad210b3b0.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe
      "C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe
        
        C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe2ef4c9b.bat"
      4⤵
      PID:4676
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3184

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe2ef4c9b.bat

Filesize
307B

MD5
9a1ef9357278574b0082e3d843e0fdfc

SHA1
31f261f341af394cc5c72de6fe1f44bc1d51428f

SHA256
84a9a27803171d3f15c495d7c9d93644970d25de8128a7b9a3009a68bc003700

SHA512
b65108d2ccc4eb7f92452a79698c5bbd7ad6315e1fcea70ce74826fd29ebdafb6bec89e9a7515e4c485b9f3fd033fcabd4b009e39ffce6b92f80f01fcdc82dab

Download Submit
C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe

Filesize
241KB

MD5
9cb3924377aa59621f964569b49bd5ed

SHA1
91f9c671a908f472403bb859f2669df20c750ca6

SHA256
120c842568db17f49bbca9c22a85a9d63aa1f85ea34f8563f920a9b4b141cf9b

SHA512
a43d414ca3f82c6e167d27950ab7b98b384d457e77c64c9745d2c91a6f3c5433c1be6601852207c53924f44fcd572b6c3d1b3f2111380814cc1577327a44408e

Download Submit
C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe

Filesize
241KB

MD5
9cb3924377aa59621f964569b49bd5ed

SHA1
91f9c671a908f472403bb859f2669df20c750ca6

SHA256
120c842568db17f49bbca9c22a85a9d63aa1f85ea34f8563f920a9b4b141cf9b

SHA512
a43d414ca3f82c6e167d27950ab7b98b384d457e77c64c9745d2c91a6f3c5433c1be6601852207c53924f44fcd572b6c3d1b3f2111380814cc1577327a44408e

Download Submit
C:\Users\Admin\AppData\Roaming\Bafuoz\ceop.exe

Filesize
241KB

MD5
9cb3924377aa59621f964569b49bd5ed

SHA1
91f9c671a908f472403bb859f2669df20c750ca6

SHA256
120c842568db17f49bbca9c22a85a9d63aa1f85ea34f8563f920a9b4b141cf9b

SHA512
a43d414ca3f82c6e167d27950ab7b98b384d457e77c64c9745d2c91a6f3c5433c1be6601852207c53924f44fcd572b6c3d1b3f2111380814cc1577327a44408e

Download Submit
memory/1448-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4676-147-0x0000000001140000-0x000000000117B000-memory.dmp

Filesize
236KB

Download