2c9cfc5a90131a5ea58a412c4f58994f739110f041325cfed3a80d482f5345fa

Analysis

max time kernel
138s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dbae335cec36530adfeedf92be6bcbc.exe
Size

184KB
MD5

0dbae335cec36530adfeedf92be6bcbc
SHA1

992aa3f8030e49c173d8e938b7e90389edc446ee
SHA256

2c9cfc5a90131a5ea58a412c4f58994f739110f041325cfed3a80d482f5345fa
SHA512

8a17300468ce35beae3de2448e99b8d83310d64be14d12a2deb58a2d26275e5ca416c76eb81b695927d71fd0b36a3e49a44a6a0d67b33fc9c743b8e65d1b1e99
SSDEEP

3072:1YeYFacsza2Pgl+AHcz+z85Z0Lp5+Bh+pMo0y7yxLyBIjXAGqC:1YepGQgsBK85Z0LpYBhIExLIC

Score

7^/10

persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	0dbae335cec36530adfeedf92be6bcbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	0dbae335cec36530adfeedf92be6bcbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{4732b980-f267-194e-c6fc-e0414fbbade7}\\n."	0dbae335cec36530adfeedf92be6bcbc.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.50.116.54
Destination IP	194.50.116.54
Destination IP	194.50.116.54
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	66.85.130.234
Destination IP	194.50.116.54
Destination IP	66.85.130.234

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	0dbae335cec36530adfeedf92be6bcbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{4732b980-f267-194e-c6fc-e0414fbbade7}\\n."	0dbae335cec36530adfeedf92be6bcbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\clsid	0dbae335cec36530adfeedf92be6bcbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	0dbae335cec36530adfeedf92be6bcbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	0dbae335cec36530adfeedf92be6bcbc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe
4440	0dbae335cec36530adfeedf92be6bcbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	0dbae335cec36530adfeedf92be6bcbc.exe
Token: SeDebugPrivilege	4440	0dbae335cec36530adfeedf92be6bcbc.exe
Token: SeDebugPrivilege	4440	0dbae335cec36530adfeedf92be6bcbc.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3460	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3460	4440	0dbae335cec36530adfeedf92be6bcbc.exe	49
PID 4440 wrote to memory of 3460	4440	0dbae335cec36530adfeedf92be6bcbc.exe	49

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3460
- C:\Users\Admin\AppData\Local\Temp\0dbae335cec36530adfeedf92be6bcbc.exe
  "C:\Users\Admin\AppData\Local\Temp\0dbae335cec36530adfeedf92be6bcbc.exe"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-3-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/3460-6-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/3460-8-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/4440-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4440-2-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/4440-7-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download