f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf

Analysis

max time kernel
132s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
Size

46KB
MD5

86e9b319b35595196d4410e818c6f083
SHA1

32dc7654b04605317772ec62c4d9451aefcbd81c
SHA256

f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf
SHA512

89c90db94c600c79f4ff66f6386629891b309fe9311d713f90f240af74f8951574769bae2e8bce96ea0dcda8c597237f28ce6f12574401fbdccafa482822c6cf
SSDEEP

768:j4s7OA+LgejptQwAdIKioQNmch3wynFYNrCgSSEARs091pVv6:jLOPpA9iF1AL+gSSEARs0Hv6

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\CelInDriver.sys	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CelInDrv\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\CelInDriver.sys"	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windhcp.ocx	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
File opened for modification	C:\Windows\SysWOW64\windhcp.ocx	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
Token: SeDebugPrivilege	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
Token: SeDebugPrivilege	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
Token: SeLoadDriverPrivilege	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1248	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe	17
PID 2040 wrote to memory of 1272	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe	28
PID 2040 wrote to memory of 1272	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe	28
PID 2040 wrote to memory of 1272	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe	28
PID 2040 wrote to memory of 1272	2040	f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
  "C:\Users\Admin\AppData\Local\Temp\f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.exe
    3⤵
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f0e5b9c6a534f8752fa8912a5e53633f2ad8f3d94ff6dc5db1ad3b8044cff8bf.dat

Filesize
41KB

MD5
9c1cab88d46c8b42fb3d6aa41ee2f19c

SHA1
c8bff88e564003c27e19f82511be212c0bad7c1a

SHA256
d104f46ed8d195308345ef236ec04715cd5be2a1ce55bf5b859f87429f77c23e

SHA512
ee5abc904b4064172034072c33d93edc8abfd220741ecfeb1c067b074bec5ce6651a98f77b7a7192e2866e80f995978dbe26a949344e30b2568a04eea4521a97

Download Submit
memory/2040-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2040-57-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download
memory/2040-58-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download