Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2023, 20:41

General

  • Target

    03700cbd2577f4ea42124ae956438f89.exe

  • Size

    26KB

  • MD5

    03700cbd2577f4ea42124ae956438f89

  • SHA1

    6d860e28d28d37897bb8add4e762fc21db149d9e

  • SHA256

    addfa311eabf3be46876bd0eff80ddd4dd0b6afc505b23f08d40798080f5c537

  • SHA512

    9f6d4ed72194b43ebf6c11c0bb390dd66939e0d151f15c375308e674db68942ce2a8277845bf69c07f5e53bb6b4328a191a7f83bbe5b423b210e454b35c686bf

  • SSDEEP

    768:vbwBerYmMSgB/lQZs6gr4R6zKToeGyEY02UmPI5UUPeukukuI:zwBeMlJdoIr4bGyi+rP

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
      PID:816
    • C:\Users\Admin\AppData\Local\Temp\03700cbd2577f4ea42124ae956438f89.exe
      "C:\Users\Admin\AppData\Local\Temp\03700cbd2577f4ea42124ae956438f89.exe"
      1⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\NET.exe
        NET STOP Beep
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP Beep
          3⤵
            PID:3412
        • C:\Windows\SysWOW64\NET.exe
          NET START Beep
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 START Beep
            3⤵
              PID:1280
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Windows\system32\me.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4720
            • C:\Windows\SysWOW64\attrib.exe
              attrib -h -s -r -a C:\Windows\system32\me.bat
              3⤵
              • Drops file in System32 directory
              • Views/modifies file attributes
              PID:3232
        • C:\Windows\MayaBaby\MayaBabyMain.exe
          C:\Windows\MayaBaby\MayaBabyMain.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\MayaBaby\MayaBabyDll.dat

          Filesize

          18KB

          MD5

          8908f4012fbb197175e1f59f20385a33

          SHA1

          bdb5b3226d5edfa9de5f22fbd457e5ab6d62d10b

          SHA256

          2389c45e0c6c0784a131ab2f4c5c794a06d8630f48ff14ed223b06a6d3f99034

          SHA512

          a73894a22bd6489dc455bc45c5bf8e094ed7fb2cd477b26810d0ede4af8862be1946a27195e74f50571f41c2b6e9d36b8c5a178b6b01a9e0f66f32b66064c931

        • C:\Windows\MayaBaby\MayaBabyMain.exe

          Filesize

          26KB

          MD5

          03700cbd2577f4ea42124ae956438f89

          SHA1

          6d860e28d28d37897bb8add4e762fc21db149d9e

          SHA256

          addfa311eabf3be46876bd0eff80ddd4dd0b6afc505b23f08d40798080f5c537

          SHA512

          9f6d4ed72194b43ebf6c11c0bb390dd66939e0d151f15c375308e674db68942ce2a8277845bf69c07f5e53bb6b4328a191a7f83bbe5b423b210e454b35c686bf

        • C:\Windows\SysWOW64\drivers\beep.sys

          Filesize

          4KB

          MD5

          34b58d3df160986141117799dd8920c9

          SHA1

          67c3725081faa5d20d7217ee79151867f3703f81

          SHA256

          b1c73ae97c1bac2d822c8e4bfcc37b15644a780ec8904974a8239f312a1049d8

          SHA512

          1289e14c83ff8da9680d955101fbca7301666a10714c22bad0b146d15ce09aa53e04611d5380548c426ee8162482f31e38e0e55c115fa9aac822c32cce1678f0

        • C:\Windows\SysWOW64\me.bat

          Filesize

          130B

          MD5

          bb7c20ec76af354aede4ff2144151631

          SHA1

          aac9ac901b7739b44a974384b0dcf57e227154c1

          SHA256

          cfe9177f7001f8027de60bb3e87b64ead92fe0ae0d6ccb00f9e96bf10cbd4b30

          SHA512

          605dc2620eb4ee691f6c8d0d947a82525ced4d32b13a2c121f22177910bf33905ed4ba96a27fafd74cb455092537c361290b3639ec49678a43f35573869fe609

        • memory/2408-11-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

        • memory/2408-24-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

        • memory/3636-21-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB

        • memory/3636-25-0x0000000010000000-0x0000000010019000-memory.dmp

          Filesize

          100KB