a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2

Analysis

max time kernel
172s
max time network
176s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
Size

214KB
MD5

6cd7ab257b42ed5266965285dccc6e56
SHA1

25f68bbfb3400aebfa2ea017960ca2c3ac1e9bb4
SHA256

a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2
SHA512

90423e8f83a6927024e8edbeb04006cecc3d883749213845365bcd0bdaad79fafad8372cd99617c836efbf3486b770f330d4dfd547ec2f78e26c232fa1912685
SSDEEP

6144:P3c99MeInpZdSdwE3VQuXS8k/PucdiZ9Xi:/8MeIp6d93+2HoiDi

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pef.exe\" -a \"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	pef.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
852	pef.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
852	pef.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	pef.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\ = "exefile"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon\ = "%1"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\DefaultIcon	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\start\command	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\start\command	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\ = "Application"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\DefaultIcon\ = "%1"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pef.exe\" -a \"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\pef.exe\" -a \"%1\" %*"	pef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	pef.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\exefile\shell\open\command	pef.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
852	pef.exe
852	pef.exe
852	pef.exe
852	pef.exe
852	pef.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe
Token: SeShutdownPrivilege	1192	explorer.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
852	pef.exe
1192	explorer.exe
1192	explorer.exe
852	pef.exe
1192	explorer.exe
1192	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
1192	explorer.exe
852	pef.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 852	1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe	28
PID 1060 wrote to memory of 852	1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe	28
PID 1060 wrote to memory of 852	1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe	28
PID 1060 wrote to memory of 852	1060	a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe	28

C:\Users\Admin\AppData\Local\Temp\a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
"C:\Users\Admin\AppData\Local\Temp\a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\pef.exe
  "C:\Users\Admin\AppData\Local\pef.exe" -gav C:\Users\Admin\AppData\Local\Temp\a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:852

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pef.exe

Filesize
214KB

MD5
6cd7ab257b42ed5266965285dccc6e56

SHA1
25f68bbfb3400aebfa2ea017960ca2c3ac1e9bb4

SHA256
a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2

SHA512
90423e8f83a6927024e8edbeb04006cecc3d883749213845365bcd0bdaad79fafad8372cd99617c836efbf3486b770f330d4dfd547ec2f78e26c232fa1912685

Download Submit
C:\Users\Admin\AppData\Local\pef.exe

Filesize
214KB

MD5
6cd7ab257b42ed5266965285dccc6e56

SHA1
25f68bbfb3400aebfa2ea017960ca2c3ac1e9bb4

SHA256
a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2

SHA512
90423e8f83a6927024e8edbeb04006cecc3d883749213845365bcd0bdaad79fafad8372cd99617c836efbf3486b770f330d4dfd547ec2f78e26c232fa1912685

Download Submit
\Users\Admin\AppData\Local\pef.exe

Filesize
214KB

MD5
6cd7ab257b42ed5266965285dccc6e56

SHA1
25f68bbfb3400aebfa2ea017960ca2c3ac1e9bb4

SHA256
a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2

SHA512
90423e8f83a6927024e8edbeb04006cecc3d883749213845365bcd0bdaad79fafad8372cd99617c836efbf3486b770f330d4dfd547ec2f78e26c232fa1912685

Download Submit
\Users\Admin\AppData\Local\pef.exe

Filesize
214KB

MD5
6cd7ab257b42ed5266965285dccc6e56

SHA1
25f68bbfb3400aebfa2ea017960ca2c3ac1e9bb4

SHA256
a78875e99d0ce80a7dbd7f235d90581c4575d12e6f5ec4bfe951bcdbc1e38bb2

SHA512
90423e8f83a6927024e8edbeb04006cecc3d883749213845365bcd0bdaad79fafad8372cd99617c836efbf3486b770f330d4dfd547ec2f78e26c232fa1912685

Download Submit
memory/852-71-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

Filesize
8KB

Download
memory/852-70-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/852-69-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/852-62-0x0000000000000000-mapping.dmp

Download
memory/1060-58-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1060-59-0x00000000020C0000-0x0000000002377000-memory.dmp

Filesize
2.7MB

Download
memory/1060-54-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1060-64-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1060-57-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/1060-56-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1060-55-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1192-67-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download