85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a

Analysis

max time kernel
178s
max time network
215s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe
Size

253KB
MD5

70b2911cee828ed477d951a981657612
SHA1

5559510894e94c2c055c13dfa8c468ce48595fd6
SHA256

85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a
SHA512

a7dc706ad86e1ad73c0cf86350070ad0e6cf5e9baddebc92477e4dced1718d7e51dd4c4ece58e5ad279f759af805a2bb92a3fe40f54d28959ffe1fd2b759ffd9
SSDEEP

3072:1QPtaJwQWxmTe7dFVyUIYqiyeeWMIILPnBEhjQBNCSanYyZgpJnTsqnbaldBYhi1:+1aJ3WVdFQL1TTOFQBNE5ZgLnTnWP53/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
268	nawe.exe
1468	nawe.exe

Deletes itself 1 IoCs

pid	Process
1812	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe
864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	nawe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ciibwy = "C:\\Users\\Admin\\AppData\\Roaming\\Icduer\\nawe.exe"	nawe.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 268 set thread context of 1468	268	nawe.exe	30

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe
1468	nawe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe
Token: SeSecurityPrivilege	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 1108 wrote to memory of 864	1108	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	28
PID 864 wrote to memory of 268	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	29
PID 864 wrote to memory of 268	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	29
PID 864 wrote to memory of 268	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	29
PID 864 wrote to memory of 268	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	29
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 268 wrote to memory of 1468	268	nawe.exe	30
PID 1468 wrote to memory of 1132	1468	nawe.exe	17
PID 1468 wrote to memory of 1132	1468	nawe.exe	17
PID 1468 wrote to memory of 1132	1468	nawe.exe	17
PID 1468 wrote to memory of 1132	1468	nawe.exe	17
PID 1468 wrote to memory of 1132	1468	nawe.exe	17
PID 1468 wrote to memory of 1192	1468	nawe.exe	16
PID 1468 wrote to memory of 1192	1468	nawe.exe	16
PID 1468 wrote to memory of 1192	1468	nawe.exe	16
PID 1468 wrote to memory of 1192	1468	nawe.exe	16
PID 1468 wrote to memory of 1192	1468	nawe.exe	16
PID 1468 wrote to memory of 1268	1468	nawe.exe	15
PID 1468 wrote to memory of 1268	1468	nawe.exe	15
PID 1468 wrote to memory of 1268	1468	nawe.exe	15
PID 1468 wrote to memory of 1268	1468	nawe.exe	15
PID 1468 wrote to memory of 1268	1468	nawe.exe	15
PID 1468 wrote to memory of 864	1468	nawe.exe	28
PID 1468 wrote to memory of 864	1468	nawe.exe	28
PID 1468 wrote to memory of 864	1468	nawe.exe	28
PID 1468 wrote to memory of 864	1468	nawe.exe	28
PID 1468 wrote to memory of 864	1468	nawe.exe	28
PID 864 wrote to memory of 1812	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	31
PID 864 wrote to memory of 1812	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	31
PID 864 wrote to memory of 1812	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	31
PID 864 wrote to memory of 1812	864	85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe	31
PID 1468 wrote to memory of 1812	1468	nawe.exe	31
PID 1468 wrote to memory of 1812	1468	nawe.exe	31
PID 1468 wrote to memory of 1688	1468	nawe.exe	33
PID 1468 wrote to memory of 1688	1468	nawe.exe	33
PID 1468 wrote to memory of 1688	1468	nawe.exe	33
PID 1468 wrote to memory of 1688	1468	nawe.exe	33
PID 1468 wrote to memory of 1688	1468	nawe.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe
  "C:\Users\Admin\AppData\Local\Temp\85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe
    "C:\Users\Admin\AppData\Local\Temp\85dcda24c38b94b1c7fecaa00d8ba604b50edce41d9a6b68e1584dc0fc4a4a1a.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe
      "C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:268
    - - C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe
        
        "C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe70f5c4d.bat"
      4⤵
      Deletes itself
      PID:1812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe70f5c4d.bat

Filesize
307B

MD5
fe8d61a67cb576d773d09772842c97b9

SHA1
448203b99535a166d6440b739b994be12ae293d9

SHA256
1ec1d1cf795bc61221850bd6dea3b6bf019c85c3cbedbf5c4a1b9835966291b1

SHA512
3718d17b90bc1e7c355ce83afe03560e53416380c43ed63bec4ef55a73abc46decdb199c26aa1cba27d24b44f78e4f9041983afe4194373bb51b71494e59ba74

Download Submit
C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe

Filesize
253KB

MD5
a96f97df679dc3f4c68ef686c005abb6

SHA1
e082ff345a8660078d1978946f37c7e0363d104d

SHA256
7ca37b0f4ec9709c52f7ecccc82c54114b44c8e33aa6033c2dd175d326452b03

SHA512
d3d4ca9c89e545d481d6991f18a19a34dc32c6d638f34955e7c8a4ccf3a597c205d37f01df0feb0b37052a978f8d9674107a8960a414d3a834a303c461b34b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe

Filesize
253KB

MD5
a96f97df679dc3f4c68ef686c005abb6

SHA1
e082ff345a8660078d1978946f37c7e0363d104d

SHA256
7ca37b0f4ec9709c52f7ecccc82c54114b44c8e33aa6033c2dd175d326452b03

SHA512
d3d4ca9c89e545d481d6991f18a19a34dc32c6d638f34955e7c8a4ccf3a597c205d37f01df0feb0b37052a978f8d9674107a8960a414d3a834a303c461b34b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Icduer\nawe.exe

Filesize
253KB

MD5
a96f97df679dc3f4c68ef686c005abb6

SHA1
e082ff345a8660078d1978946f37c7e0363d104d

SHA256
7ca37b0f4ec9709c52f7ecccc82c54114b44c8e33aa6033c2dd175d326452b03

SHA512
d3d4ca9c89e545d481d6991f18a19a34dc32c6d638f34955e7c8a4ccf3a597c205d37f01df0feb0b37052a978f8d9674107a8960a414d3a834a303c461b34b2c

Download Submit
\Users\Admin\AppData\Roaming\Icduer\nawe.exe

Filesize
253KB

MD5
a96f97df679dc3f4c68ef686c005abb6

SHA1
e082ff345a8660078d1978946f37c7e0363d104d

SHA256
7ca37b0f4ec9709c52f7ecccc82c54114b44c8e33aa6033c2dd175d326452b03

SHA512
d3d4ca9c89e545d481d6991f18a19a34dc32c6d638f34955e7c8a4ccf3a597c205d37f01df0feb0b37052a978f8d9674107a8960a414d3a834a303c461b34b2c

Download Submit
\Users\Admin\AppData\Roaming\Icduer\nawe.exe

Filesize
253KB

MD5
a96f97df679dc3f4c68ef686c005abb6

SHA1
e082ff345a8660078d1978946f37c7e0363d104d

SHA256
7ca37b0f4ec9709c52f7ecccc82c54114b44c8e33aa6033c2dd175d326452b03

SHA512
d3d4ca9c89e545d481d6991f18a19a34dc32c6d638f34955e7c8a4ccf3a597c205d37f01df0feb0b37052a978f8d9674107a8960a414d3a834a303c461b34b2c

Download Submit
memory/864-103-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/864-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-63-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/864-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-58-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-101-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/864-104-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/864-54-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/864-102-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1132-83-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1132-84-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1132-85-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1132-86-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/1192-92-0x0000000001EA0000-0x0000000001EDC000-memory.dmp

Filesize
240KB

Download
memory/1192-91-0x0000000001EA0000-0x0000000001EDC000-memory.dmp

Filesize
240KB

Download
memory/1192-90-0x0000000001EA0000-0x0000000001EDC000-memory.dmp

Filesize
240KB

Download
memory/1192-89-0x0000000001EA0000-0x0000000001EDC000-memory.dmp

Filesize
240KB

Download
memory/1268-97-0x0000000002BF0000-0x0000000002C2C000-memory.dmp

Filesize
240KB

Download
memory/1268-98-0x0000000002BF0000-0x0000000002C2C000-memory.dmp

Filesize
240KB

Download
memory/1268-96-0x0000000002BF0000-0x0000000002C2C000-memory.dmp

Filesize
240KB

Download
memory/1268-95-0x0000000002BF0000-0x0000000002C2C000-memory.dmp

Filesize
240KB

Download
memory/1468-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-116-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/1688-117-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/1688-115-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/1688-114-0x0000000003A70000-0x0000000003AAC000-memory.dmp

Filesize
240KB

Download
memory/1812-109-0x0000000000150000-0x000000000018C000-memory.dmp

Filesize
240KB

Download