3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
Size

233KB
MD5

e29719d3adf28eed2d8ba410872ac962
SHA1

ed6247a21e2e00557e133c1289aca24df2b881d8
SHA256

3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be
SHA512

f419a104c3b010c6691a528d140b690d4d727de7d68dc9823e651a9028c8cee9c4894b91eaf61f9a34ab1e7957a6eb556f91719143b25412fd7f3aa6441b2d95
SSDEEP

6144:xD2JWK2zuqUzN15TMdN/5djkxUEKm/tJajKw:xD2JFYoZmF7kUm/Cj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2996	evencopy.exe
4016	fsuteSrv.exe
4184	~9318.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fixmexer = "C:\\Users\\Admin\\AppData\\Roaming\\Deviac32\\evencopy.exe"	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsuteSrv.exe	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	evencopy.exe
2996	evencopy.exe
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	evencopy.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3520	Explorer.EXE
3520	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3520	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2996	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	85
PID 2852 wrote to memory of 2996	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	85
PID 2852 wrote to memory of 2996	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	85
PID 2996 wrote to memory of 4184	2996	evencopy.exe	87
PID 2996 wrote to memory of 4184	2996	evencopy.exe	87
PID 4184 wrote to memory of 3520	4184	~9318.tmp	56
PID 2852 wrote to memory of 1436	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	88
PID 2852 wrote to memory of 1436	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	88
PID 2852 wrote to memory of 1436	2852	3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe	88
PID 1436 wrote to memory of 4828	1436	cmd.exe	90
PID 1436 wrote to memory of 4828	1436	cmd.exe	90
PID 1436 wrote to memory of 4828	1436	cmd.exe	90

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4828	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3520
- C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe
  "C:\Users\Admin\AppData\Local\Temp\3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Roaming\Deviac32\evencopy.exe
    "C:\Users\Admin\AppData\Roaming\Deviac32"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\~9318.tmp
      3520 239112 2996 1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4184
- - C:\Windows\SysWOW64\cmd.exe
    /C 240620359.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "3ddf598354802dbb764bfd1339f08223885ec4b0c4a11706f8e3a8029f0223be.exe"
      4⤵
      Views/modifies file attributes
      PID:4828

C:\Windows\SysWOW64\fsuteSrv.exe
C:\Windows\SysWOW64\fsuteSrv.exe -s
1⤵
- Executes dropped EXE
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240620359.cmd

Filesize
291B

MD5
33a558f98fc6a70da7111582cfa681f6

SHA1
452aeaf0f06fe262a75f6f0d8a1b8e97b43f3045

SHA256
9960a200e06c3194ea6944cdf3c6933ebae1c6a37238c180a494959717298fe4

SHA512
bd5ae6cb6c0a58054d1511cd499c7452340ac5583ee93f1a4d27722c5831c4de2b34989473c211cd5e0c222772c911a65b26c2b59d683935f4597bed34e1d836

Download Submit
C:\Users\Admin\AppData\Local\Temp\~9318.tmp

Filesize
8KB

MD5
86dc243576cf5c7445451af37631eea9

SHA1
99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

SHA256
25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

SHA512
c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Deviac32\evencopy.exe

Filesize
233KB

MD5
9a120a21878545442987480d66ec2206

SHA1
3c154719033da990bed94f863aad4d46d63ba6ab

SHA256
d54073973411c84172dddd507e192cce8a5321893978534caa68d4e705ab0146

SHA512
750bf3dbdb49661356a2dbd978a5e3ac1f1aa304b19101d0510640cad9d77a4ca8f5b10284add1dfd36b4648be2c55d69ad65e4fac52227a463e880dc524417d

Download Submit
memory/2852-0-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2996-9-0x0000000002390000-0x0000000002395000-memory.dmp

Filesize
20KB

Download
memory/2996-8-0x0000000000700000-0x0000000000743000-memory.dmp

Filesize
268KB

Download
memory/3520-20-0x0000000002BC0000-0x0000000002BCD000-memory.dmp

Filesize
52KB

Download
memory/3520-19-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

Filesize
24KB

Download
memory/3520-18-0x0000000002B10000-0x0000000002B5A000-memory.dmp

Filesize
296KB

Download
memory/3520-14-0x0000000002B10000-0x0000000002B5A000-memory.dmp

Filesize
296KB

Download
memory/4016-17-0x0000000000F50000-0x0000000000F93000-memory.dmp

Filesize
268KB

Download