afeecdbb6d7d67484194f15f3b62fdf176c26ac98b3ad074d9e0861a4cbd0b63

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee02abbf2a7107306915404b4d6aa93.exe
Size

150KB
MD5

0ee02abbf2a7107306915404b4d6aa93
SHA1

4d12f351845d8cff3143997ee7467d1bf498f714
SHA256

afeecdbb6d7d67484194f15f3b62fdf176c26ac98b3ad074d9e0861a4cbd0b63
SHA512

f3bb009b760edd14a27aa00c90c21782ae075b689acca2ae6e580706e6c11592a6846c61856feee5a4c7f2e11f073ef219166a5224007450bd5f794d633ecad0
SSDEEP

3072:necu88h/2yroutqzAoU+WuKurV9GqZghAs10jLAH:nech8oyroSqvU+WlY8p0jLAH

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
54	1480	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WindowsDriver\Parameters\ServiceDll = "C:\\Windows\\system32\\WindowsDriver.dll"	0ee02abbf2a7107306915404b4d6aa93.exe

Loads dropped DLL 2 IoCs

pid	Process
3300	svchost.exe
1480	rundll32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Uninstall alexa.exe	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\IEHost2.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IETimes.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IEo.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IEHost2.txt	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\IETimes.txt	0ee02abbf2a7107306915404b4d6aa93.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDriver.dll	0ee02abbf2a7107306915404b4d6aa93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2796	0ee02abbf2a7107306915404b4d6aa93.exe
Token: SeDebugPrivilege	3300	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3500	2796	0ee02abbf2a7107306915404b4d6aa93.exe	91
PID 2796 wrote to memory of 3500	2796	0ee02abbf2a7107306915404b4d6aa93.exe	91
PID 2796 wrote to memory of 3500	2796	0ee02abbf2a7107306915404b4d6aa93.exe	91
PID 3300 wrote to memory of 1480	3300	svchost.exe	101
PID 3300 wrote to memory of 1480	3300	svchost.exe	101
PID 3300 wrote to memory of 1480	3300	svchost.exe	101

C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe
"C:\Users\Admin\AppData\Local\Temp\0ee02abbf2a7107306915404b4d6aa93.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0EE02A~1.EXE > nul
  2⤵
  PID:3500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k WindowsDriver
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\windowsdriver.dll, ServiceMain
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WindowsDriver.dll

Filesize
382KB

MD5
26d1154e60a04dc09acea874e5be54bb

SHA1
a43cb7813bea35e0280cf3194b5247a8dbe92e8f

SHA256
191f5782ada6edd0f46267eac499f17377fcba4882e816a977080f06ee15ae1b

SHA512
9858c4ddaedf9be2bd09cde3cdbed5b81a106e8919f0e8715bea8d072036ff00fd0ece33821054f746a4ee0c4ca3d813dbac2d69cf84cd09dba89dc8522d4a72

Download Submit
C:\Windows\SysWOW64\WindowsDriver.dll

Filesize
1.6MB

MD5
08263fad57ab4fcbdc6416ffcb4ea0a1

SHA1
eab5a43da8c4630f0d962e3875737558f83a1810

SHA256
b5666b7f0ad3349979f2f973a9fba4896342c8c538ade51a86cf04a77b4989a2

SHA512
dec01b6c20ac9a567c59a209ec1b38f3c123374aae8240a4290386370f5aa518ea0378d864bd7b250f3bec7659024778e7ca857938d1a594a6f369beba1d1a9b

Download Submit
\??\c:\windows\SysWOW64\windowsdriver.dll

Filesize
1.9MB

MD5
bb83a519b9909775ba2f6ddcee2464d1

SHA1
755ed5aa520f4f719e592840ac41e098f7051a86

SHA256
4ff4de0e34b6bbc6269a5362cd8238d81fdf88cc534b56e19da56c13f6076149

SHA512
ea03721f70425fcc00981c336934f80da00e74ed78a554d13be8b3dd7221b6edce5c7ade5b34a1510cbe8ec0177f91b49e37baf8e2d0d42fac2a537bc0ad2a2f

Download Submit
memory/1480-13-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2796-0-0x0000000000D00000-0x0000000000D4E000-memory.dmp

Filesize
312KB

Download
memory/2796-8-0x0000000000D00000-0x0000000000D4E000-memory.dmp

Filesize
312KB

Download
memory/3300-10-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/3300-12-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads