df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898

Analysis

max time kernel
195s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
Size

124KB
MD5

ea5427c3d00c38684698462d9fd52e22
SHA1

91a19f7386633af4a502d90189ac174a56add382
SHA256

df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898
SHA512

56bd0306e61e7e86e34a0dfff9b570b60a663ff328932ab96c2391a6f1b3c0ddb00940ff79f0ebbed72c2ccd8e9aaa992e5d01daa2116d6e7d57e5d10b91016f
SSDEEP

1536:T9bmC5k35gtQ7enHw0kYaA1spO90pOkkYq/E8s:T9qCa+tQUHw+aAapO9CkYg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2088	MayaBabyMain.exe

Loads dropped DLL 2 IoCs

pid	Process
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
2088	MayaBabyMain.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	MayaBabyMain.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File created	C:\Windows\SysWOW64\me.bat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File created	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.tmp	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	MayaBabyMain.exe
File opened for modification	C:\Windows\SysWOW64\me.bat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
2088	MayaBabyMain.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
Token: SeDebugPrivilege	2088	MayaBabyMain.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 628	2088	MayaBabyMain.exe	83
PID 2088 wrote to memory of 628	2088	MayaBabyMain.exe	83
PID 2088 wrote to memory of 628	2088	MayaBabyMain.exe	83
PID 4676 wrote to memory of 4980	4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	85
PID 4676 wrote to memory of 4980	4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	85
PID 4676 wrote to memory of 4980	4676	df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe	85
PID 628 wrote to memory of 4488	628	cmd.exe	88
PID 628 wrote to memory of 4488	628	cmd.exe	88
PID 628 wrote to memory of 4488	628	cmd.exe	88
PID 4980 wrote to memory of 2480	4980	cmd.exe	87
PID 4980 wrote to memory of 2480	4980	cmd.exe	87
PID 4980 wrote to memory of 2480	4980	cmd.exe	87

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2480	attrib.exe
4488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe
"C:\Users\Admin\AppData\Local\Temp\df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r -a C:\Windows\system32\me.bat
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2480

C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r -a C:\Windows\system32\me.bat
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
461036b0d3ae016fcf021858040203da

SHA1
0a22bbb004a1caabc9af2d7037901c1f36663ce7

SHA256
834ad274502755d3e22595d75b7aca840fe4af2fe5d216ec031667694fcc681a

SHA512
d19fa85dee28b3666ef69fa30ce21a960bab6197a2f23acbf9329b0eb8aae2ea6be62270dae72728ce565230516417756de3acc9925e122c567d53f5fc827fef

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
461036b0d3ae016fcf021858040203da

SHA1
0a22bbb004a1caabc9af2d7037901c1f36663ce7

SHA256
834ad274502755d3e22595d75b7aca840fe4af2fe5d216ec031667694fcc681a

SHA512
d19fa85dee28b3666ef69fa30ce21a960bab6197a2f23acbf9329b0eb8aae2ea6be62270dae72728ce565230516417756de3acc9925e122c567d53f5fc827fef

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyDll.dat

Filesize
17KB

MD5
461036b0d3ae016fcf021858040203da

SHA1
0a22bbb004a1caabc9af2d7037901c1f36663ce7

SHA256
834ad274502755d3e22595d75b7aca840fe4af2fe5d216ec031667694fcc681a

SHA512
d19fa85dee28b3666ef69fa30ce21a960bab6197a2f23acbf9329b0eb8aae2ea6be62270dae72728ce565230516417756de3acc9925e122c567d53f5fc827fef

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe

Filesize
124KB

MD5
ea5427c3d00c38684698462d9fd52e22

SHA1
91a19f7386633af4a502d90189ac174a56add382

SHA256
df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898

SHA512
56bd0306e61e7e86e34a0dfff9b570b60a663ff328932ab96c2391a6f1b3c0ddb00940ff79f0ebbed72c2ccd8e9aaa992e5d01daa2116d6e7d57e5d10b91016f

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabyMain.exe

Filesize
124KB

MD5
ea5427c3d00c38684698462d9fd52e22

SHA1
91a19f7386633af4a502d90189ac174a56add382

SHA256
df2baa664566d64d5bc3fd1e262bc0e49c940e7bab3af3a3c9f99abeea05c898

SHA512
56bd0306e61e7e86e34a0dfff9b570b60a663ff328932ab96c2391a6f1b3c0ddb00940ff79f0ebbed72c2ccd8e9aaa992e5d01daa2116d6e7d57e5d10b91016f

Download Submit
C:\Windows\SysWOW64\MayaBaby\MayaBabySYS.dat

Filesize
3KB

MD5
0d02989bf14431e51de925f7c56d6be9

SHA1
07c365fdd5768aef05c607ff6d368d52bd75c617

SHA256
95765c22df6c1db3b40884650a5d1aa5ca544b02113a9bd7420b6baa4d6bceb8

SHA512
038b1480e29b85f0ece188631e2c05743936a1b827c5b6b5b27cddfc17cd4b3fe98fe13575166060d72784dca0290f790ec15c4a10a1a1cd7c5c5d2d6a98513e

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
162B

MD5
ab683a22120cb26d2df21d5b31506ca5

SHA1
55ef33fe39c1461e86ed09a5605d9487b2c5b55a

SHA256
93ad45b53a157742a5050d30a06001c98d745344a03279fae4327e932c3d2d09

SHA512
b7a4962611f90fc7f3767d990fcb6ded463c781a402054d91d3422957784858101803bce43a1a47dbb265919e2295f0566be7f2d3337e991f76b812c85f6e42a

Download Submit
C:\Windows\SysWOW64\me.bat

Filesize
162B

MD5
ab683a22120cb26d2df21d5b31506ca5

SHA1
55ef33fe39c1461e86ed09a5605d9487b2c5b55a

SHA256
93ad45b53a157742a5050d30a06001c98d745344a03279fae4327e932c3d2d09

SHA512
b7a4962611f90fc7f3767d990fcb6ded463c781a402054d91d3422957784858101803bce43a1a47dbb265919e2295f0566be7f2d3337e991f76b812c85f6e42a

Download Submit
memory/2088-141-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2088-139-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4676-144-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4676-133-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download