6854e3fa80c62461c88197f0161d3b4040230f86f818b626b9ffe13d61a12d87

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2581163aeb6121a7e36581cf01ce7e.exe
Size

26KB
MD5

bb2581163aeb6121a7e36581cf01ce7e
SHA1

9eb48372562b901ab97f25e9e6cbfdc6b9376327
SHA256

6854e3fa80c62461c88197f0161d3b4040230f86f818b626b9ffe13d61a12d87
SHA512

5fdd96b69490e53266a47528fc1aacaef9daba0ff9279a9e31f04cdfc4bde41609e5db0515e308472038135afbc469af3e6fcf7dc59b8edc4e359f44616781b3
SSDEEP

384:38zIhOcql6/i9p5GBFK08Iu/DmzATFDMCVVRNzsG5jtkeYI4awzfMGNtoXaAiF:38KCpIFHEYknzsG5jWU4jvoXfS

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb2581163aeb6121a7e36581cf01ce7e.exe"	bb2581163aeb6121a7e36581cf01ce7e.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	bb2581163aeb6121a7e36581cf01ce7e.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	bb2581163aeb6121a7e36581cf01ce7e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3420	bb2581163aeb6121a7e36581cf01ce7e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	bb2581163aeb6121a7e36581cf01ce7e.exe
3420	bb2581163aeb6121a7e36581cf01ce7e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	bb2581163aeb6121a7e36581cf01ce7e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 796	3420	bb2581163aeb6121a7e36581cf01ce7e.exe	10
PID 3420 wrote to memory of 4604	3420	bb2581163aeb6121a7e36581cf01ce7e.exe	92
PID 3420 wrote to memory of 4604	3420	bb2581163aeb6121a7e36581cf01ce7e.exe	92
PID 3420 wrote to memory of 4604	3420	bb2581163aeb6121a7e36581cf01ce7e.exe	92

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\bb2581163aeb6121a7e36581cf01ce7e.exe
"C:\Users\Admin\AppData\Local\Temp\bb2581163aeb6121a7e36581cf01ce7e.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rdl3F4B.tmp

Filesize
6KB

MD5
a240958fe9d5acbe71a2b3c3a11e1102

SHA1
b9413646979bb90da854a8509aa3594fb5e2a79b

SHA256
6118af8a4e3c776f412e026bbaac204714d787036eeafb0406685d1f65ce7be3

SHA512
09667b4fda6b8276b428fcbe57f66acb317b7e21b1e22d55ecb354e54b1352e697dcb5e2d9d9be890f694d6e1deaadda86ebca008c25eca084c2ea89678c1944

Download Submit
memory/3420-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3420-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3420-1-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3420-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3420-43-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3420-45-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3420-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download