333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2

Analysis

max time kernel
183s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
Size

53KB
MD5

68a682d9d0e33e688c6ea49056830b41
SHA1

187ee68d2b5e58f2eec215d1b52a85550de13ac2
SHA256

333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2
SHA512

9d332e646685d466f121dba4ad2cbf7b8f1f4460b83fad92f74e72469050f0d8262340bc8ca71e3188dd17e1b96bd604e337391747fbf8612867cd5d418de431
SSDEEP

768:mOcxeXxZFPgs1qjFh9EQylblq9w/VM8H7wKjwXbIkbd:mOcx6Zpgsgjb9EQaq9oVlbwKkXcI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	8f66c53.tmp

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.220.222
Destination IP	208.67.220.220
Destination IP	208.67.222.123
Destination IP	208.67.220.123
Destination IP	208.67.222.220

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	8f66c53.tmp
File opened (read-only)	\??\G:	8f66c53.tmp
File opened (read-only)	\??\I:	8f66c53.tmp
File opened (read-only)	\??\J:	8f66c53.tmp
File opened (read-only)	\??\M:	8f66c53.tmp
File opened (read-only)	\??\O:	8f66c53.tmp
File opened (read-only)	\??\Q:	8f66c53.tmp
File opened (read-only)	\??\R:	8f66c53.tmp
File opened (read-only)	\??\S:	8f66c53.tmp
File opened (read-only)	\??\V:	8f66c53.tmp
File opened (read-only)	\??\W:	8f66c53.tmp
File opened (read-only)	\??\L:	8f66c53.tmp
File opened (read-only)	\??\N:	8f66c53.tmp
File opened (read-only)	\??\T:	8f66c53.tmp
File opened (read-only)	\??\U:	8f66c53.tmp
File opened (read-only)	\??\Y:	8f66c53.tmp
File opened (read-only)	\??\E:	8f66c53.tmp
File opened (read-only)	\??\K:	8f66c53.tmp
File opened (read-only)	\??\H:	8f66c53.tmp
File opened (read-only)	\??\P:	8f66c53.tmp
File opened (read-only)	\??\X:	8f66c53.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\usp10.dll	8f66c53.tmp

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp
2952	8f66c53.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
Token: SeIncBasePriorityPrivilege	2952	8f66c53.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 100 wrote to memory of 2952	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	83
PID 100 wrote to memory of 2952	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	83
PID 100 wrote to memory of 2952	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	83
PID 100 wrote to memory of 3548	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	84
PID 100 wrote to memory of 3548	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	84
PID 100 wrote to memory of 3548	100	333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe	84
PID 2952 wrote to memory of 2616	2952	8f66c53.tmp	86
PID 2952 wrote to memory of 2616	2952	8f66c53.tmp	86
PID 2952 wrote to memory of 2616	2952	8f66c53.tmp	86

C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe
"C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100
- C:\Users\Admin\AppData\Local\Temp\8f66c53.tmp
  "C:\Users\Admin\AppData\Local\Temp\8f66c53.tmp"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\8f66c53.tmp"
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\333f890fef76d6f1ab80235c09ce9f526b27ab266ca41fb507eab10d6ae3baf2.exe"
  2⤵
  PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f66c53.tmp

Filesize
53KB

MD5
dcd0e1bf91b35a195cd0b00d71259593

SHA1
0ffdb1d9e3a93a56d964845174e158b6b4715e1a

SHA256
5f2912df649501aeeb3aa5334ac39c9185f6633787ec9f4bb93dde920a2a76fb

SHA512
fc0ac336c6da70c01b43d9daf75f1d6a5b2c22caf8c65e55c4a388a70d2a1cf2bb97d8bcd35c5ca30de77ef2949228160150cdf8932219c69729b7974a0633a1

Download Submit
memory/100-134-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-135-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-138-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download