df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898

General

Target

df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
Size

124KB
MD5

ea5427c3d00c38684698462d9fd52e22
SHA1

91a19f7386633af4a502d90189ac174a56add382
SHA256

df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898
SHA512

56bd0306e61e7e86e34a0dfff9b570b60a663ff328932ab96c2391a6f1b3c0ddb00940ff79f0ebbed72c2ccd8e9aaa992e5d01daa2116d6e7d57e5d10b91016f
SSDEEP

1536:T9bmC5k35gtQ7enHw0kYaA1spO90pOkkYq/E8s:T9qCa+tQUHw+aAapO9CkYg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
660	MayaBabyMain.exe

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\me.bat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	attrib.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
Token: SeDebugPrivilege	660	MayaBabyMain.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1244	1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	29
PID 1368 wrote to memory of 1244	1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	29
PID 1368 wrote to memory of 1244	1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	29
PID 1368 wrote to memory of 1244	1368	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	29
PID 1244 wrote to memory of 1916	1244	cmd.exe	31
PID 1244 wrote to memory of 1916	1244	cmd.exe	31
PID 1244 wrote to memory of 1916	1244	cmd.exe	31
PID 1244 wrote to memory of 1916	1244	cmd.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
"C:\Users\Admin\AppData\Local\Temp\df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\me.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r -a C:\Windows\system32\me.bat
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1916

C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe

Filesize
124KB

MD5
ea5427c3d00c38684698462d9fd52e22

SHA1
91a19f7386633af4a502d90189ac174a56add382

SHA256
df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898

SHA512
56bd0306e61e7e86e34a0dfff9b570b60a663ff328932ab96c2391a6f1b3c0ddb00940ff79f0ebbed72c2ccd8e9aaa992e5d01daa2116d6e7d57e5d10b91016f

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat

Filesize
3KB

MD5
e85d2318312115d554b3bc17e8f98f08

SHA1
41eaeca8fe6331b3063f8b0af5c02db28c3f3e3d

SHA256
f5be3426820782e9125561061d54482a8f52c0801f8232649e867a5f2e6610d2

SHA512
1f74940953bcfd6d196b992ba3eb39447e9215da77a26f3c52e75300989498d1fb369c8b0f57e5baa118728baaaee673a38aa8e9ea5d4a7f4eeeb8738a480ef6

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
162B

MD5
ab683a22120cb26d2df21d5b31506ca5

SHA1
55ef33fe39c1461e86ed09a5605d9487b2c5b55a

SHA256
93ad45b53a157742a5050d30a06001c98d745344a03279fae4327e932c3d2d09

SHA512
b7a4962611f90fc7f3767d990fcb6ded463c781a402054d91d3422957784858101803bce43a1a47dbb265919e2295f0566be7f2d3337e991f76b812c85f6e42a

Download Submit
\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
461036b0d3ae016fcf021858040203da

SHA1
0a22bbb004a1caabc9af2d7037901c1f36663ce7

SHA256
834ad274502755d3e22595d75b7aca840fe4af2fe5d216ec031667694fcc681a

SHA512
d19fa85dee28b3666ef69fa30ce21a960bab6197a2f23acbf9329b0eb8aae2ea6be62270dae72728ce565230516417756de3acc9925e122c567d53f5fc827fef

Download Submit
memory/1368-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1368-56-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1368-60-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads