d7d5e85f971b27d98700879abdd63c98e842db607966c9792bdba810acec3b3d

Analysis

max time kernel
158s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7167e8ce42ef37c1aecb1449acdb2fa9.exe
Size

445KB
MD5

7167e8ce42ef37c1aecb1449acdb2fa9
SHA1

cca6ba5ef36a24fd767b6a2e1d2fa77ab7e827eb
SHA256

d7d5e85f971b27d98700879abdd63c98e842db607966c9792bdba810acec3b3d
SHA512

5a3d77087594727daba61b5c77cca926a125d67124776fca4287bc1f1041ac35e0a48098fd0efcd901923d1938d2cf98d7ffe3ea689a97271de94c41c7b20fc6
SSDEEP

6144:yA8u1rX7YsuEtPaqYYIJ4m/a5iULyptqCeGn4tmiFQBDO86V/hl1UsVwfXpgGVN2:d8uFXp3Pa10240iuBNGhl1ULr

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7167e8ce42ef37c1aecb1449acdb2fa9.exe"	REG.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	7167e8ce42ef37c1aecb1449acdb2fa9.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main	REG.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.mbuscas.com"	REG.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe
2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3320	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	88
PID 2752 wrote to memory of 3320	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	88
PID 2752 wrote to memory of 3320	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	88
PID 2752 wrote to memory of 5040	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	89
PID 2752 wrote to memory of 5040	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	89
PID 2752 wrote to memory of 5040	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	89
PID 2752 wrote to memory of 3864	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	92
PID 2752 wrote to memory of 3864	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	92
PID 2752 wrote to memory of 3864	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	92
PID 2752 wrote to memory of 4640	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	94
PID 2752 wrote to memory of 4640	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	94
PID 2752 wrote to memory of 4640	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	94
PID 2752 wrote to memory of 3052	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	95
PID 2752 wrote to memory of 3052	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	95
PID 2752 wrote to memory of 3052	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	95
PID 2752 wrote to memory of 4080	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	96
PID 2752 wrote to memory of 4080	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	96
PID 2752 wrote to memory of 4080	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	96
PID 2752 wrote to memory of 4776	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	106
PID 2752 wrote to memory of 4776	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	106
PID 2752 wrote to memory of 4776	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	106
PID 2752 wrote to memory of 3324	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	98
PID 2752 wrote to memory of 3324	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	98
PID 2752 wrote to memory of 3324	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	98
PID 2752 wrote to memory of 5096	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	99
PID 2752 wrote to memory of 5096	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	99
PID 2752 wrote to memory of 5096	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	99
PID 2752 wrote to memory of 3104	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	103
PID 2752 wrote to memory of 3104	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	103
PID 2752 wrote to memory of 3104	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	103
PID 2752 wrote to memory of 676	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	117
PID 2752 wrote to memory of 676	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	117
PID 2752 wrote to memory of 676	2752	7167e8ce42ef37c1aecb1449acdb2fa9.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe
"C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:3320
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:5040
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:3864
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:4640
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:3052
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:4080
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:3324
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:5096
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:3104
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Rundll32" /T REG_SZ /D C:\Users\Admin\AppData\Local\Temp\7167e8ce42ef37c1aecb1449acdb2fa9.exe /F
  2⤵
  - Adds Run key to start application
  PID:4776
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /T REG_SZ /D http://www.mbuscas.com /F
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:676

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3874a363bbbdfec25e208ff5c8f1dd6d 1gLngA7PMESaFx5YCugL6w.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-0-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2752-1-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2752-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2752-3-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2752-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads