3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89

General

Target

3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
Size

580KB
MD5

00f0cdcca1cda1ee6ce6d6672506ec50
SHA1

bec4b890460e03e731e48ae4c772adc019a7f4c7
SHA256

3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89
SHA512

88a2e74419ae2f2f1778ba5568b7731a02f7773d7c25f5deee71553a68a1f4223f27b367ce5bde09532c848230345a37205c5479760e5837cbc42ee3a690076a
SSDEEP

12288:jWph2x7Drf4EJRlDOVocKkaWJdacQfaTHIPT9Maj:jWX29D0cRMCKPJcfazIPe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3012	elevation_service.exe
4808	elevation_service.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File created	\??\c:\windows\system32\Appvclient.vir	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File created	\??\c:\windows\system32\fxssvc.vir	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.vir	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.vir	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	3012	WerFault.exe	88

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1152	3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe

C:\Users\Admin\AppData\Local\Temp\3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe
"C:\Users\Admin\AppData\Local\Temp\3ce29e0042c612438e9d694a7b8a66399f1367cc84911fc5cfaa52bbc72afd89.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3012 -s 392
  2⤵
  - Program crash
  PID:1332

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3012 -ip 3012
1⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4808 -ip 4808
1⤵
PID:3560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0ad0d2baf073153e8a3ff8fd873f9767

SHA1
7b5988801af75576be8a6ef664f67f6a9b400cad

SHA256
2cfe7904d8a2c4474e91ba4f093e87671959e53cd06d1a64e64d51d607cf346d

SHA512
fead6a7937ed39202f231911e9f53c21799d1fc673e75cde1b25119608bc91dc0f24e8109d8eb0d949ad4540cc42ed7d38eff945a9679c67fc538f4ce53adf8b

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
1.9MB

MD5
23c2bfd28fa53acf8263cb37ada629e3

SHA1
1518c8bd2e407319cfb6b621e16fc553af1f4bc7

SHA256
ce1d7d5e9fd8c6db014197c2a8a936a68627351ec93a3f115ae8502c203efd15

SHA512
dfb38f45555e873713a6abd08ac5c07f72156f2bfdbf8ec872b0a14a77e761416c806ba0dd82bca312671473ee4b30cf6ac5e3c7197f3435d3da247cd88d71ab

Download Submit
memory/1152-132-0x0000000001000000-0x00000000011AC000-memory.dmp

Filesize
1.7MB

Download
memory/1152-133-0x0000000001000000-0x00000000011AC000-memory.dmp

Filesize
1.7MB

Download
memory/1152-134-0x0000000001000000-0x00000000011AC000-memory.dmp

Filesize
1.7MB

Download
memory/1152-135-0x0000000001000000-0x00000000011AC000-memory.dmp

Filesize
1.7MB

Download
memory/3012-137-0x0000000140000000-0x0000000140343000-memory.dmp

Filesize
3.3MB

Download
memory/3012-138-0x0000000140000000-0x0000000140343000-memory.dmp

Filesize
3.3MB

Download
memory/4808-140-0x0000000140000000-0x0000000140360000-memory.dmp

Filesize
3.4MB

Download
memory/4808-141-0x0000000140000000-0x0000000140360000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing