afeecdbb6d7d67484194f15f3b62fdf176c26ac98b3ad074d9e0861a4cbd0b63

General

Target

0ee02abbf2a7107306915404b4d6aa93.exe
Size

150KB
MD5

0ee02abbf2a7107306915404b4d6aa93
SHA1

4d12f351845d8cff3143997ee7467d1bf498f714
SHA256

afeecdbb6d7d67484194f15f3b62fdf176c26ac98b3ad074d9e0861a4cbd0b63
SHA512

f3bb009b760edd14a27aa00c90c21782ae075b689acca2ae6e580706e6c11592a6846c61856feee5a4c7f2e11f073ef219166a5224007450bd5f794d633ecad0
SSDEEP

3072:necu88h/2yroutqzAoU+WuKurV9GqZghAs10jLAH:nech8oyroSqvU+WlY8p0jLAH

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2076	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WindowsDriver\Parameters\ServiceDll = "C:\\Windows\\system32\\WindowsDriver.dll"	0ee02abbf2a7107306915404b4d6aa93.exe

Deletes itself 1 IoCs

pid	Process
2840	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
2392	0ee02abbf2a7107306915404b4d6aa93.exe
2716	svchost.exe
2076	rundll32.exe
2076	rundll32.exe
2076	rundll32.exe
2076	rundll32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IEo.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IEHost2.txt	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\IETimes.txt	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDriver.dll	0ee02abbf2a7107306915404b4d6aa93.exe
File created	C:\Windows\SysWOW64\Uninstall alexa.exe	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\IEHost2.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IETimes.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2392	0ee02abbf2a7107306915404b4d6aa93.exe
Token: SeDebugPrivilege	2716	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2840	2392	0ee02abbf2a7107306915404b4d6aa93.exe	29
PID 2392 wrote to memory of 2840	2392	0ee02abbf2a7107306915404b4d6aa93.exe	29
PID 2392 wrote to memory of 2840	2392	0ee02abbf2a7107306915404b4d6aa93.exe	29
PID 2392 wrote to memory of 2840	2392	0ee02abbf2a7107306915404b4d6aa93.exe	29
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30
PID 2716 wrote to memory of 2076	2716	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe
"C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0EE02A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WindowsDriver
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\windowsdriver.dll, ServiceMain
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\windowsdriver.dll

Filesize
17.8MB

MD5
52f0624098674298eeedb80bdb38aebc

SHA1
7fa4d8f06bbe176489aa5e79e036ca63d65cc1c6

SHA256
7f0d635d82194de2c57bca4457eb48a0c37a81764cb724db38001c9ecfdd06b6

SHA512
bf4ad8582fe068385f750e326f755d4e7d780e3de7578fba15843a186b3846fda3f0c6b4258fc1f6ff615b2ceae32e1604807daabf0808882a8c5877714180f4

Download Submit
\Windows\SysWOW64\Uninstall alexa.exe

Filesize
5KB

MD5
9bf96f2e3dccb1d57295068cedaae0a5

SHA1
44d5a873f2acf0988877f88ae61e93070ba280b9

SHA256
0ab113aa05ed6326b3e38fec1dc7142ce7764eacd03fa8af4f1f6351d43966e2

SHA512
0077f7ff1fc171d63d6df9c96d7d5836b5762000aeab6ead3d182c2c5097235c57219cef666c0254d63a7542ea67f7d98bfe0d22992f6e2607fd154789e31ce2

Download Submit
\Windows\SysWOW64\WindowsDriver.dll

Filesize
44.2MB

MD5
ded189b87c53b9d1c81a11c41b81cf96

SHA1
279037f8aebda9fdef1046a0c67e63b53545c4e1

SHA256
6bf934ec566a9f48ef9aa1b6a08c4462dda47bf6c07956be798feed77c437888

SHA512
be4df7436b2817a0d244def179d2a56abc0f45765098aa0c4adb75864faa55c03a898a70488efbd18ae97c72cc9ef1cd3e1d05fb3c08811dba81d606bf30b9e2

Download Submit
\Windows\SysWOW64\WindowsDriver.dll

Filesize
3.3MB

MD5
008dfd53236280ca9cbe8c14540809f4

SHA1
90f4a208c280c1c291f63367dc813f196c653629

SHA256
c210382ee9b99d4e9975f0e91ca8d14c198d77c1eb5df4c049f87a49e8646bcd

SHA512
497fd8eb689da9fb47ac6e0c9b7c8eb3612d2c71d0e11831907e2e933d9750fe8933e91b51440be319238a09eb649cca08b617b0668cdecdca0a6baee2cb97bb

Download Submit
\Windows\SysWOW64\WindowsDriver.dll

Filesize
2.6MB

MD5
b04fd48c8347b6ae5169e77b740fd7ea

SHA1
4f50e2436869b42b31c464cbed9b074d25eef233

SHA256
a1c2bfc0de63aa73b1dc20a98b20751afdd457cac63defc18b8b3eb48312dcd2

SHA512
7ffc32d437181371c6655041f0812ac34f21b658df40592a8fed861be9aa9e3717a12bc232ce0f0a0be7a63ac8c73b0424817d9c62753c395031ef418317b2e7

Download Submit
\Windows\SysWOW64\WindowsDriver.dll

Filesize
1.3MB

MD5
13b40b7bbac90764a3c6bbcd89f52c39

SHA1
80e30e64d95ba680f0572a1e34c3400bf4b09bcd

SHA256
5ce3457981abbf1aafb1f5c64cbb67a3ce88e5ec6965bddddeff0ec104344b55

SHA512
a54455ac10fb1d29a70ccfddf6ab915e4fd980c0b19804bbde8432f580b2a92d55b84d233a114e099ccde2d289b5b62550bb93b461dfd04c9e6ab702633811a2

Download Submit
\Windows\SysWOW64\WindowsDriver.dll

Filesize
1.5MB

MD5
6e55413898d53c2ad1bc808686b546df

SHA1
d05785ab3fb8c291f6cf6fea2783c9b742e685ba

SHA256
78a95bc034f6575136d13e6fd27cbacf4f6403465b450838331a04d3a3e98e9f

SHA512
ed98344146cc5c6744a67e542f0487aada855ae2bcc847cf2c87142f935cc0a19192f948f2e7c8dd55dceef86c8ce44e8569e481af59b26413b2d3ca428123ee

Download Submit
memory/2076-28-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2076-18-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2392-9-0x0000000000B10000-0x0000000000B5E000-memory.dmp

Filesize
312KB

Download
memory/2392-0-0x0000000000B10000-0x0000000000B5E000-memory.dmp

Filesize
312KB

Download
memory/2716-12-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2716-11-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads