49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3

Analysis

max time kernel
145s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 10:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
Size

506KB
MD5

5b7dc4c98f67c9b36d39e0ccf72894ca
SHA1

9aa39a10443f60da26b3d88cec207fee405526e8
SHA256

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3
SHA512

cfbe18cf5c36e3e795a9e909a80bbec8b40ca93ae42394aff70792eea6e233675e00392972a7a8f8264bd9f37f1c046cd8476f5877be809cfaca4ff69cf8530b
SSDEEP

12288:3xhBwbEc9fVkVP2Y26+1ipxJAA/x6M7EDL01GIfjph/vXj1LA:3Jwf9fVIPxh+1gxJp0FQ1NfH5LA

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mydri.sys	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
File opened for modification	C:\Windows\SysWOW64\mydri.sys	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.wz123.com/?nuli"	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
Token: SeIncBasePriorityPrivilege	3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
3604	49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

C:\Users\Admin\AppData\Local\Temp\49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe
"C:\Users\Admin\AppData\Local\Temp\49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3604

Network

DNS

cfpan.com

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Remote address:

8.8.8.8:53

Request

cfpan.com

IN A

Response

cfpan.com

IN A

104.21.67.206

cfpan.com

IN A

172.67.180.151
DNS

www.brainy168.com

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

Remote address:

8.8.8.8:53

Request

www.brainy168.com

IN A

Response

95.213.205.83:5655

46 B
41 B
1
1
209.197.3.8:80

46 B
40 B
1
1
104.21.67.206:80

cfpan.com

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

156 B
3
104.21.67.206:80

cfpan.com

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

156 B
3
52.109.13.62:443

40 B
1
93.184.221.240:80

322 B
7
93.184.220.29:80

322 B
7
20.189.173.7:443

322 B
7
209.197.3.8:80

46 B
40 B
1
1
13.107.4.50:80

322 B
7
13.107.4.50:80

322 B
7
13.107.4.50:80

322 B
7

8.8.8.8:53

cfpan.com

dns

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

55 B
87 B
1
1

DNS Request

cfpan.com

DNS Response

104.21.67.206

172.67.180.151
8.8.8.8:53

www.brainy168.com

dns

49beff69c42127e7c2e972ffdb135c21bdd025edfdf7e96be747450a4e4de3a3.exe

63 B
136 B
1
1

DNS Request

www.brainy168.com

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

DNS Request

DNS Response

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.