2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
Size

176KB
MD5

8893a8b6776c2ad16f3db82e78e26e99
SHA1

a33299db49945a46276765b443e232c493dc6541
SHA256

2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606
SHA512

180c6e616672462d97d948fb25f0d737902e171bcbd45d63022458a175e70d7051ef9ca60b146b1866f86c09a52be37985812a146f683df8328aaa42faf3403e
SSDEEP

3072:D9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHukK:J0MJBVlx+Vf274Q2xqhxoNH1Ti5Ytuk

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
512	CertHost.exe
5108	labeiles.exe
3788	~D0DD.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\finddial = "C:\\Users\\Admin\\AppData\\Roaming\\pcaulace\\CertHost.exe"	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\labeiles.exe	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
512	CertHost.exe
512	CertHost.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE
5108	labeiles.exe
5108	labeiles.exe
3432	Explorer.EXE
3432	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 512	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	87
PID 848 wrote to memory of 512	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	87
PID 848 wrote to memory of 512	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	87
PID 512 wrote to memory of 3788	512	CertHost.exe	89
PID 512 wrote to memory of 3788	512	CertHost.exe	89
PID 3788 wrote to memory of 3432	3788	~D0DD.tmp	56
PID 848 wrote to memory of 2224	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	90
PID 848 wrote to memory of 2224	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	90
PID 848 wrote to memory of 2224	848	2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe	90
PID 2224 wrote to memory of 3444	2224	cmd.exe	92
PID 2224 wrote to memory of 3444	2224	cmd.exe	92
PID 2224 wrote to memory of 3444	2224	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3444	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3432
- C:\Users\Admin\AppData\Local\Temp\2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe
  "C:\Users\Admin\AppData\Local\Temp\2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Roaming\pcaulace\CertHost.exe
    "C:\Users\Admin\AppData\Roaming\pcaulace\CertHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Users\Admin\AppData\Local\Temp\~D0DD.tmp
      "C:\Users\Admin\AppData\Local\Temp\~D0DD.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    /C 240636171.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606.exe"
      4⤵
      Views/modifies file attributes
      PID:3444

C:\Windows\SysWOW64\labeiles.exe
C:\Windows\SysWOW64\labeiles.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240636171.cmd

Filesize
291B

MD5
1ac5f12a33b1cd20eee9fe9a5ed7f502

SHA1
03d986a9ed75575e27e259449ffa3ca82feb9d3d

SHA256
3683bf6fba5e8c5ac99d79ff0253c482cf3ddfbd110afe2dfb125be60c6357a7

SHA512
05938c2732730e80c18f1b5af9943e01d6a346321f36d44f536833ae18625eac64a28b155fb062e96b05cae1867e7390e86f1af5284eba43ef5aef5ef7f6f5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\~D0DD.tmp

Filesize
6KB

MD5
6850ca80785b2c856605d82db76a4b32

SHA1
b594ee1f1af500f39f45e9f1ea02171e12272910

SHA256
a424f1e4f9eafce28c03c6bf24a842cf5d7e5d823e4f51b82fda0f9ca6417285

SHA512
aa619ca2f312ffefc5a5c6668df9a11ac128e30f2e6e199fca39005ebdde788fa33444f63b82c203c45cc4e2f2e80921120f0a4df0fec7d44a141c194ca27fb3

Download Submit
C:\Users\Admin\AppData\Roaming\pcaulace\CertHost.exe

Filesize
176KB

MD5
f3453aa3d2af6082c71ade2735f97663

SHA1
aea31def8a997bc41a4c665a2de195986390037d

SHA256
32bcac6fd726206117b04291c7a88db796c28705886ff488d4ce5c4a2d1f8197

SHA512
1dc18ac24941d16cb3877c16b99112c746889cc0d0d6ba9d7fbb0bb9cfcdfc6be203802199efc24f1a343f11d4cdd0c20e02f0d6bed525eeda06023b13494a41

Download Submit
C:\Windows\SysWOW64\labeiles.exe

Filesize
176KB

MD5
8893a8b6776c2ad16f3db82e78e26e99

SHA1
a33299db49945a46276765b443e232c493dc6541

SHA256
2dea3cdd3c9c04aa3419294fc41b221aac8d7caaa87c9598c7c2e8bb5629c606

SHA512
180c6e616672462d97d948fb25f0d737902e171bcbd45d63022458a175e70d7051ef9ca60b146b1866f86c09a52be37985812a146f683df8328aaa42faf3403e

Download Submit
memory/512-7-0x0000000000C30000-0x0000000000C70000-memory.dmp

Filesize
256KB

Download
memory/848-0-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/3432-14-0x0000000008250000-0x0000000008293000-memory.dmp

Filesize
268KB

Download
memory/3432-13-0x0000000008250000-0x0000000008293000-memory.dmp

Filesize
268KB

Download
memory/5108-20-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/5108-21-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download
memory/5108-22-0x0000000000F50000-0x0000000000F90000-memory.dmp

Filesize
256KB

Download