bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 02:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
Size

50KB
MD5

e4f6423bb2dfc07598042f5d31800d3e
SHA1

1bb55a5657abcd2a2587b769a99e0f1463d54bb1
SHA256

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08
SHA512

6f1f6229e50d6f99f7be7f6567918e52398e066810fa1cac0d40d4c5fb9d50393f99f51564763a738b060cc3a3acd0be73218bcc8fbfebb1034a7d29bad8621f
SSDEEP

768:eQJmE666HqpuAu7iJaJzzeWNWm9R7/fW6sQu4n91xJucYXsiDK+yvn4LZjM:eQUE56KpuAB4zeWRn7/fK0xgvsn46

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}\stubpath = "%SystemRoot%\\system32\\vmtoolsd.exe"	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vmtoolsd.exe	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
File opened for modification	C:\Windows\SysWOW64\vmtoolsd.exe	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32

C:\Users\Admin\AppData\Local\Temp\bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
"C:\Users\Admin\AppData\Local\Temp\bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}" /f
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BD7AF0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1688

Network

DNS

www.issuejeju.com

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Remote address:

8.8.8.8:53

Request

www.issuejeju.com

IN A

Response

www.issuejeju.com

IN A

121.78.127.93
GET

http://www.issuejeju.com/poll/update7.txt

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Remote address:

121.78.127.93:80

Request

GET /poll/update7.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.issuejeju.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Tue, 06 Dec 2022 00:42:42 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 3745
Connection: keep-alive
Vary: Accept-Encoding

121.78.127.93:80

http://www.issuejeju.com/poll/update7.txt

http

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

402 B
4.1kB
5
5

HTTP Request

GET http://www.issuejeju.com/poll/update7.txt

HTTP Response

200

8.8.8.8:53

www.issuejeju.com

dns

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

63 B
79 B
1
1

DNS Request

www.issuejeju.com

DNS Response

121.78.127.93

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.