e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636

Analysis

max time kernel
189s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe
Size

127KB
MD5

7c1e2008ab6d06e9a2884e816c4cce06
SHA1

24f8bd3bcf6d86933e48d03c29c71c5ee0c80a34
SHA256

e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636
SHA512

7d130f436c42968a818e2673b2dc9a24acdb858d933b722696ed9b79add19559d8b6994cf226f1741da251e1cb0427de9b9bc9cca8cc34e388fdac29926491df
SSDEEP

3072:Kpga6wBiZjyxz70zURg3tSiZPNe5sXhpMnd8KEc2JN:KpgmBi8F04mDeCwC

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\Uco.Dll"	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Uco.Dll	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe
File opened for modification	C:\Windows\SysWOW64\Uco.Dll	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1852	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3444	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe
2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe
Token: SeDebugPrivilege	1852	taskkill.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1852	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	83
PID 2492 wrote to memory of 1852	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	83
PID 2492 wrote to memory of 1852	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	83
PID 2492 wrote to memory of 864	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	86
PID 2492 wrote to memory of 864	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	86
PID 2492 wrote to memory of 864	2492	e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe	86
PID 864 wrote to memory of 3444	864	cmd.exe	89
PID 864 wrote to memory of 3444	864	cmd.exe	89
PID 864 wrote to memory of 3444	864	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe
"C:\Users\Admin\AppData\Local\Temp\e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im 360tray.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping localhost -n 1 && del "C:\Users\Admin\AppData\Local\Temp\e12ad27e8ff9e6dc9154f1848350d2fa03c9f3c0b3509af18ef3e21176516636.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 1
    3⤵
    - Runs ping.exe
    PID:3444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-134-0x000002C051660000-0x000002C051670000-memory.dmp

Filesize
64KB

Download
memory/1548-136-0x000002C051890000-0x000002C0518A0000-memory.dmp

Filesize
64KB

Download
memory/1548-137-0x000002C053C80000-0x000002C053C84000-memory.dmp

Filesize
16KB

Download