bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 02:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
Size

50KB
MD5

e4f6423bb2dfc07598042f5d31800d3e
SHA1

1bb55a5657abcd2a2587b769a99e0f1463d54bb1
SHA256

bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08
SHA512

6f1f6229e50d6f99f7be7f6567918e52398e066810fa1cac0d40d4c5fb9d50393f99f51564763a738b060cc3a3acd0be73218bcc8fbfebb1034a7d29bad8621f
SSDEEP

768:eQJmE666HqpuAu7iJaJzzeWNWm9R7/fW6sQu4n91xJucYXsiDK+yvn4LZjM:eQUE56KpuAB4zeWRn7/fK0xgvsn46

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}\stubpath = "%SystemRoot%\\system32\\vmtoolsd.exe"	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vmtoolsd.exe	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
File opened for modification	C:\Windows\SysWOW64\vmtoolsd.exe	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1628	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	28
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32
PID 2000 wrote to memory of 1688	2000	bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe	32

C:\Users\Admin\AppData\Local\Temp\bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe
"C:\Users\Admin\AppData\Local\Temp\bd7af0ff4416acb0c5ad21b326d477ae9d0dd015f2c784ef7489c061918c4d08.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{3A230A03-0B87-C453-341F-5C38D0FEDA0A}" /f
  2⤵
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BD7AF0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2000-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download