384e0dd39368ed9233fff10c2e8513469296d1861ba4eb20da0c2a7b5d1b30ac

Analysis

max time kernel
144s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29382c4bba18b4edccd83b0e7f36b93d.exe
Size

56KB
MD5

29382c4bba18b4edccd83b0e7f36b93d
SHA1

0616e2086b262e7b36871a9de43b1b54bd49e36c
SHA256

384e0dd39368ed9233fff10c2e8513469296d1861ba4eb20da0c2a7b5d1b30ac
SHA512

84c299d4a57eb441f208edbdd3708c4f440c1a16d520a0863adb93213c5fbc94d8cc6c25da19292d2a899e0d8da49551480c0dafc28bcd475b496f79bb3f98c8
SSDEEP

1536:bKGkpEJF5lYdyzgXZDpwN4rSVKJ8G92Wt5MxijU1Mn:PPXSyzgbwYSJGvdji

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\CelInDriver.sys	29382c4bba18b4edccd83b0e7f36b93d.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CelInDrv\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\CelInDriver.sys"	29382c4bba18b4edccd83b0e7f36b93d.exe

Loads dropped DLL 1 IoCs

pid	Process
4396	29382c4bba18b4edccd83b0e7f36b93d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windhcp.ocx	29382c4bba18b4edccd83b0e7f36b93d.exe
File created	C:\Windows\SysWOW64\windhcp.ocx	29382c4bba18b4edccd83b0e7f36b93d.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe
4396	29382c4bba18b4edccd83b0e7f36b93d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4396	29382c4bba18b4edccd83b0e7f36b93d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	29382c4bba18b4edccd83b0e7f36b93d.exe
Token: SeDebugPrivilege	4396	29382c4bba18b4edccd83b0e7f36b93d.exe
Token: SeDebugPrivilege	4396	29382c4bba18b4edccd83b0e7f36b93d.exe
Token: SeLoadDriverPrivilege	4396	29382c4bba18b4edccd83b0e7f36b93d.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 3576	4396	29382c4bba18b4edccd83b0e7f36b93d.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\29382c4bba18b4edccd83b0e7f36b93d.exe
  "C:\Users\Admin\AppData\Local\Temp\29382c4bba18b4edccd83b0e7f36b93d.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\29382c4bba18b4edccd83b0e7f36b93d.exe
    3⤵
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29382c4bba18b4edccd83b0e7f36b93d.dat

Filesize
41KB

MD5
f4a54516194515acefbcf1ddca61930a

SHA1
a24684c2f054c940ecd24ab3ec7298c4759a1e60

SHA256
e5c8d4f983c75f9d474262acb0f369d3810ba4d14bf32311b1b26d36e8a830e9

SHA512
7a920fed669078abfcfdb7b58987160c48c6f3d808fa4a618489518e0a64875581bd6b4c3a7a9141f861e3e2001ff96721e206c115b174fcd090a308be9f99b1

Download Submit
memory/4396-0-0x0000000001800000-0x0000000001816000-memory.dmp

Filesize
88KB

Download
memory/4396-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4396-4-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4396-7-0x0000000001800000-0x0000000001816000-memory.dmp

Filesize
88KB

Download
memory/4396-8-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download