3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
Size

702KB
MD5

5f53734c5153ec3dd61e2a732a2ff03f
SHA1

0dcfceaced0f4063af2e93cea48348b801fd0435
SHA256

3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76
SHA512

17e6b58d604e2e81385fe1e82a8d5f8eafeb1a0b749280db4010158e2acb6bd516f0c5de68d9d7aa9c509a68d3cdc2a4a21623c6dda4dd2563cfd75e1a723e0f
SSDEEP

12288:DdKDeq1eaihwIgHYzVQKS6f4oXjXoFGXFJ1406jowEq9+NPn7NiaswNF:YDplihwIgHYzVQWjd1J1zNMg

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EvilDriver\ImagePath = "\\??\\C:\\Driver2030.sys"	3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	1972	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
1972	3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1972	3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1972	3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe

C:\Users\Admin\AppData\Local\Temp\3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe
"C:\Users\Admin\AppData\Local\Temp\3ef6cc0ee34c9c5e311bdbe2cdd6af20c451582dbb2e3b9054e6e8e9e2ea6e76.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1244
  2⤵
  - Program crash
  PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1972 -ip 1972
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads