baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
Size

176KB
MD5

42a5ec45ffa987fe44692c5dc5596203
SHA1

8082bcdc38f3f56009d528a5a6079a1e2384072c
SHA256

baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597
SHA512

82b3970fe0be50aace3ffb77c9538ba23f007c4ef39a8bfef694538f971f0b578de6e55d431f436b91c171911d3f33466fa4f999d963be2197a55e328501ee96
SSDEEP

3072:S9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:o0MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4580	diskhost.exe
4532	cscrdccw.exe
2152	~5AD2.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcexer = "C:\\Users\\Admin\\AppData\\Roaming\\perfeSrv\\diskhost.exe"	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cscrdccw.exe	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	diskhost.exe
4580	diskhost.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe
4532	cscrdccw.exe
3480	Explorer.EXE
3480	Explorer.EXE
4532	cscrdccw.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3480	Explorer.EXE
3480	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3480	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4580	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	85
PID 4748 wrote to memory of 4580	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	85
PID 4748 wrote to memory of 4580	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	85
PID 4580 wrote to memory of 2152	4580	diskhost.exe	87
PID 4580 wrote to memory of 2152	4580	diskhost.exe	87
PID 4748 wrote to memory of 548	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	88
PID 4748 wrote to memory of 548	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	88
PID 4748 wrote to memory of 548	4748	baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe	88
PID 2152 wrote to memory of 3480	2152	~5AD2.tmp	56
PID 548 wrote to memory of 2044	548	cmd.exe	90
PID 548 wrote to memory of 2044	548	cmd.exe	90
PID 548 wrote to memory of 2044	548	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2044	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3480
- C:\Users\Admin\AppData\Local\Temp\baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe
  "C:\Users\Admin\AppData\Local\Temp\baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Roaming\perfeSrv\diskhost.exe
    "C:\Users\Admin\AppData\Roaming\perfeSrv\diskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\~5AD2.tmp
      "C:\Users\Admin\AppData\Local\Temp\~5AD2.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    /C 240605921.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597.exe"
      4⤵
      Views/modifies file attributes
      PID:2044

C:\Windows\SysWOW64\cscrdccw.exe
C:\Windows\SysWOW64\cscrdccw.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240605921.cmd

Filesize
291B

MD5
613cf3102fd77f0263b26b43b01e27f7

SHA1
5711e70d02aabecd82599902ae203f474409c8ad

SHA256
bc8412fc0be541c1d00eb5b63d0afc11a9968dc467d0c2f83c5c01e8dced7ea4

SHA512
c06ad9613054c869ce4995f126796bebe538ac02caf10270689bcc99378c242ca85616ff9c883905d0c353dae3a6dec5a4d809652a7d9ebf80ba080768c1b022

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5AD2.tmp

Filesize
6KB

MD5
7e4d2aab89ea92feb77039882b44074e

SHA1
fc77eaf378f964ff69a16822d0f651c3fee5e123

SHA256
a775ac98a6dfb780a8b74b6bee96422bdb4c0f58ff6d7fc5ae9f49102714149b

SHA512
a34456711515d625961733035f9799dd2ad95015842f578f11b242bd42c024072a2b1eefcb927ebbfad905ecf48e1a530e097a190a4f0b2fa9f56ff61d9a1d53

Download Submit
C:\Users\Admin\AppData\Roaming\perfeSrv\diskhost.exe

Filesize
176KB

MD5
1b4bd4b9b3e9ab2b642f8d3647ed01cf

SHA1
f4eb86c8eaafb9a07816e03f48a2109f162bfac5

SHA256
0dc20e77a9efb9dbcfb5c88f43697237b58d106888d51ab248a36dcb0e01d6ad

SHA512
2ab1cc7e9ccc4cd1824d05cce8c374fedea30c602f6d0662e83b3e55e7c21ce3778fab760f1ab53460e2c8892c22a3fd838292fd730532708bc98cd384ef8f22

Download Submit
C:\Windows\SysWOW64\cscrdccw.exe

Filesize
176KB

MD5
42a5ec45ffa987fe44692c5dc5596203

SHA1
8082bcdc38f3f56009d528a5a6079a1e2384072c

SHA256
baeb84f9629687a48046838b3b9bb3ecda354e651140d5a7a770f21f207a5597

SHA512
82b3970fe0be50aace3ffb77c9538ba23f007c4ef39a8bfef694538f971f0b578de6e55d431f436b91c171911d3f33466fa4f999d963be2197a55e328501ee96

Download Submit
memory/3480-19-0x0000000002D90000-0x0000000002DD3000-memory.dmp

Filesize
268KB

Download
memory/3480-18-0x0000000002D90000-0x0000000002DD3000-memory.dmp

Filesize
268KB

Download
memory/4532-13-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/4532-15-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/4532-14-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/4580-6-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/4748-0-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download