aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72

Analysis

max time kernel
206s
max time network
214s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
Size

288KB
MD5

755240ee8e016dd53ef0dfbb0a3a6121
SHA1

073de29df0ad8d030cbbc448043e8e962e1b3a61
SHA256

aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72
SHA512

b0772f070cbfe3ad7cfa3981b920b5d2113e7a1d60f5583b9fc15af3793797cb50cd9acc40f85116f445633bda3852e28fbb4b688a76f7e9a517c24dbdb09dd6
SSDEEP

6144:uejcki1BSRm6W2YF0f2t6b+vClRHUcivtJOkRGP07ByaB22U9F/+:uejckifOm67YFZt6KqlKRvtJOkRGmwtm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\twt.exe\" -a \"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	twt.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
712	twt.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
712	twt.exe

Loads dropped DLL 2 IoCs

pid	Process
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	twt.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\ = "exefile"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\twt.exe\" -a \"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon\ = "%1"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\twt.exe\" -a \"%1\" %*"	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command	twt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open	twt.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas	twt.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
712	twt.exe
712	twt.exe
712	twt.exe
712	twt.exe
712	twt.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE
Token: 33	820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	820	AUDIODG.EXE
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe
Token: SeShutdownPrivilege	872	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
712	twt.exe
872	explorer.exe
872	explorer.exe
712	twt.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
872	explorer.exe
712	twt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 712	1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe	28
PID 1776 wrote to memory of 712	1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe	28
PID 1776 wrote to memory of 712	1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe	28
PID 1776 wrote to memory of 712	1776	aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe	28

C:\Users\Admin\AppData\Local\Temp\aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
"C:\Users\Admin\AppData\Local\Temp\aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\twt.exe
  "C:\Users\Admin\AppData\Local\twt.exe" -gav C:\Users\Admin\AppData\Local\Temp\aefa774004272d956394b461c54b7338538b9683d3e1b0b99955ff7bbc522f72.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:712

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\twt.exe

Filesize
288KB

MD5
45774d5b685d83e309c0248787bd0858

SHA1
4900ae1110695c935c7949793f6b3e66a48e86b1

SHA256
4c54695c47f661905ba52375132d28a4b595f4b955a6ca669a6d422068afe08c

SHA512
fb18319bf71fb6c25394b5731aebd84ccf8e4c66569cb12c8d5d6b94060c832412db1a083ff2554e6ff35a087c5be251132a15227c554c52e602c544fbc256fa

Download Submit
C:\Users\Admin\AppData\Local\twt.exe

Filesize
288KB

MD5
45774d5b685d83e309c0248787bd0858

SHA1
4900ae1110695c935c7949793f6b3e66a48e86b1

SHA256
4c54695c47f661905ba52375132d28a4b595f4b955a6ca669a6d422068afe08c

SHA512
fb18319bf71fb6c25394b5731aebd84ccf8e4c66569cb12c8d5d6b94060c832412db1a083ff2554e6ff35a087c5be251132a15227c554c52e602c544fbc256fa

Download Submit
\Users\Admin\AppData\Local\twt.exe

Filesize
288KB

MD5
45774d5b685d83e309c0248787bd0858

SHA1
4900ae1110695c935c7949793f6b3e66a48e86b1

SHA256
4c54695c47f661905ba52375132d28a4b595f4b955a6ca669a6d422068afe08c

SHA512
fb18319bf71fb6c25394b5731aebd84ccf8e4c66569cb12c8d5d6b94060c832412db1a083ff2554e6ff35a087c5be251132a15227c554c52e602c544fbc256fa

Download Submit
\Users\Admin\AppData\Local\twt.exe

Filesize
288KB

MD5
45774d5b685d83e309c0248787bd0858

SHA1
4900ae1110695c935c7949793f6b3e66a48e86b1

SHA256
4c54695c47f661905ba52375132d28a4b595f4b955a6ca669a6d422068afe08c

SHA512
fb18319bf71fb6c25394b5731aebd84ccf8e4c66569cb12c8d5d6b94060c832412db1a083ff2554e6ff35a087c5be251132a15227c554c52e602c544fbc256fa

Download Submit
memory/712-67-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/712-68-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/712-69-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/712-70-0x00000000749D1000-0x00000000749D3000-memory.dmp

Filesize
8KB

Download
memory/872-64-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/872-71-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/1776-58-0x0000000001FA0000-0x0000000002257000-memory.dmp

Filesize
2.7MB

Download
memory/1776-57-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1776-56-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1776-63-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1776-55-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1776-54-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download