aaf50e6f0272b4e4d6b529fe4e9cf7aec76f528fd08de33b369338e375990ba0

Analysis

max time kernel
167s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29f792215a50cdfcdb62c11d08ba98e5.exe
Size

73KB
MD5

29f792215a50cdfcdb62c11d08ba98e5
SHA1

83cc68d6845c35a0af6f8f5a7ffb4ed0b5324311
SHA256

aaf50e6f0272b4e4d6b529fe4e9cf7aec76f528fd08de33b369338e375990ba0
SHA512

ad2b31cb4d50d94434430ea42e58143723f0dbb74069445a3d4a0eb774bcf5f41110d3d10764fad5d680b3d18a69975729d2e0d8d3887e186fe4bd4206a9b3ea
SSDEEP

1536:CulqLQITOlj3wkreF6olBmmo1xrnNfCCAGOsz4Ni4gURX:jmFTORAkI6OfqtNfHAYiRX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\svch0st_.exe"	29f792215a50cdfcdb62c11d08ba98e5.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	svch0st_.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	svch0st_.exe
2700	svch0st_.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\svch0st_.exe	29f792215a50cdfcdb62c11d08ba98e5.exe
File opened for modification	C:\Windows\svch0st_.exe	29f792215a50cdfcdb62c11d08ba98e5.exe
File opened for modification	C:\Windows\lsas.bmp	svch0st_.exe
File created	C:\Windows\lsas.bmp	svch0st_.exe
File created	C:\Windows\Deleteme.bat	29f792215a50cdfcdb62c11d08ba98e5.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
4732	29f792215a50cdfcdb62c11d08ba98e5.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe
2700	svch0st_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	svch0st_.exe
2700	svch0st_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 2700	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	89
PID 4732 wrote to memory of 2700	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	89
PID 4732 wrote to memory of 2700	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	89
PID 4732 wrote to memory of 4616	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	90
PID 4732 wrote to memory of 4616	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	90
PID 4732 wrote to memory of 4616	4732	29f792215a50cdfcdb62c11d08ba98e5.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\29f792215a50cdfcdb62c11d08ba98e5.exe
"C:\Users\Admin\AppData\Local\Temp\29f792215a50cdfcdb62c11d08ba98e5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\svch0st_.exe
  C:\Windows\svch0st_.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Deleteme.bat
  2⤵
  PID:4616

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f6e336a73dfe4abb7afc4241d89611c3 kLq8WKRtsU6KH33IX4t+gQ.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Deleteme.bat

Filesize
184B

MD5
b0f9b47ef66ceeb5a94f0b2bd3ca7243

SHA1
9a3973a6269c4a24798a644afd015e3d79b18207

SHA256
0d77b2afdd547d33109afc36a978a75f500bbef8266055c83f552f97dd68e6c6

SHA512
433e2d20075a97fb9ada4f3282c38aa5b3ffed29e87a0eabba1c8578815957a51afd30bd50b00feaae24c77f3d02528f4f091a102c8452953d3af4f671136d73

Download Submit
C:\Windows\lsas.bmp

Filesize
53KB

MD5
26b08cd05a658802e24278719c24063e

SHA1
9d6efcae49af71a74b0a5b562c881b5e596dcddf

SHA256
506250d0adc08248914baf424a5939f1eb59ed28c8c8536b5358b6033ecd754e

SHA512
a86bbc18cbb2a905dc7db4b988e3de0de589c81389287832d7cc9bb4e06712efb170f72db38fa5e57d244fb26a7c0a93b7f5f74d42f58bf04561de9155e09918

Download Submit
C:\Windows\svch0st_.exe

Filesize
73KB

MD5
29f792215a50cdfcdb62c11d08ba98e5

SHA1
83cc68d6845c35a0af6f8f5a7ffb4ed0b5324311

SHA256
aaf50e6f0272b4e4d6b529fe4e9cf7aec76f528fd08de33b369338e375990ba0

SHA512
ad2b31cb4d50d94434430ea42e58143723f0dbb74069445a3d4a0eb774bcf5f41110d3d10764fad5d680b3d18a69975729d2e0d8d3887e186fe4bd4206a9b3ea

Download Submit
memory/2700-15-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/2700-27-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/2700-34-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2700-35-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/4732-1-0x00000000005B0000-0x00000000005C1000-memory.dmp

Filesize
68KB

Download
memory/4732-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download