4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180

Analysis

max time kernel
120s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4705dbbbdbfe9bb44e6a832ff8146b60N.exe
Size

176KB
MD5

4705dbbbdbfe9bb44e6a832ff8146b60
SHA1

e4f8fb232bd6374cf669ccd6f5baf256a1b3278f
SHA256

4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180
SHA512

5f1da98895c3fefb3875d829842ae3960561e743cc2e89c477c5b1e025807e8f35e6ac8733ff87e4022514605bba597d2077a7e88c8f83e4e59a5b1fa56c0734
SSDEEP

3072:u9E4Wgbr57BVFqmx1E9Hqmz674Qbf6xET/nhqCoNWDY1TuDBujfgY1LRQBAhHuYK:00MJBVlx+Vf274Q2xqhxoNH1Ti5YtuY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3992	CameHost.exe
2456	ftpabel.exe
776	~BAD4.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inpudown = "C:\\Users\\Admin\\AppData\\Roaming\\quiconce\\CameHost.exe"	4705dbbbdbfe9bb44e6a832ff8146b60N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftpabel.exe	4705dbbbdbfe9bb44e6a832ff8146b60N.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	CameHost.exe
3992	CameHost.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE
2456	ftpabel.exe
2456	ftpabel.exe
3496	Explorer.EXE
3496	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3496	Explorer.EXE
3496	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3496	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3992	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	87
PID 456 wrote to memory of 3992	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	87
PID 456 wrote to memory of 3992	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	87
PID 3992 wrote to memory of 776	3992	CameHost.exe	89
PID 3992 wrote to memory of 776	3992	CameHost.exe	89
PID 776 wrote to memory of 3496	776	~BAD4.tmp	56
PID 456 wrote to memory of 4864	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	90
PID 456 wrote to memory of 4864	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	90
PID 456 wrote to memory of 4864	456	4705dbbbdbfe9bb44e6a832ff8146b60N.exe	90
PID 4864 wrote to memory of 3720	4864	cmd.exe	92
PID 4864 wrote to memory of 3720	4864	cmd.exe	92
PID 4864 wrote to memory of 3720	4864	cmd.exe	92

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3720	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3496
- C:\Users\Admin\AppData\Local\Temp\4705dbbbdbfe9bb44e6a832ff8146b60N.exe
  "C:\Users\Admin\AppData\Local\Temp\4705dbbbdbfe9bb44e6a832ff8146b60N.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Roaming\quiconce\CameHost.exe
    "C:\Users\Admin\AppData\Roaming\quiconce\CameHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\~BAD4.tmp
      "C:\Users\Admin\AppData\Local\Temp\~BAD4.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:776
- - C:\Windows\SysWOW64\cmd.exe
    /C 240630484.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "4705dbbbdbfe9bb44e6a832ff8146b60N.exe"
      4⤵
      Views/modifies file attributes
      PID:3720

C:\Windows\SysWOW64\ftpabel.exe
C:\Windows\SysWOW64\ftpabel.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240630484.cmd

Filesize
198B

MD5
c309569036b15b36e22db725ff2eb47c

SHA1
6898af63f52e8f7d5094408426f46fcff53f85b1

SHA256
290e59efd1e7c13583c277ef2cc2c02365631f9ef61ecbd7d6076693a044371e

SHA512
2476b8dc0853ac5baaa0e4b332febd98b52ef6d90e466f06ec2da4263aa3dc284d59b1290faf36b1f256c05a9007cce8edd9e6a81f5a66f65442a8e5d472eecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\~BAD4.tmp

Filesize
6KB

MD5
aca2ec5c0b082ed2566403ab40918db0

SHA1
765ab5624ec163175c00d562d467efc989a1d0b0

SHA256
93ed4651f6e82c61c728ca50fba10def8867e4f98db62ff5ece5b96920a72d8a

SHA512
aec51c4c02b8c75715121adeec5e23e5cf0eef1d8100f8f88021cb628903ad15343ee937edf52b3bfe582569545d0ac3335eb16a4f8c714987d3c8d84bb495c7

Download Submit
C:\Users\Admin\AppData\Roaming\quiconce\CameHost.exe

Filesize
176KB

MD5
291adbc6b763634c44c9ee13029b9ad1

SHA1
ff46818957e1f94c88e940e067e87a0ef1a82bee

SHA256
38e4bb378ecda8afe3cdf7873e15d4b5bd2d700368b0c3b4be1921934b015972

SHA512
686b59b9cf36a2086a0190cbf060bc4c4c2dd319bad0597233644c414631d339687ec4510f4dc622d91d5d5e776edd00ab17d5e0350eb725581f39e067f65c57

Download Submit
C:\Windows\SysWOW64\ftpabel.exe

Filesize
176KB

MD5
4705dbbbdbfe9bb44e6a832ff8146b60

SHA1
e4f8fb232bd6374cf669ccd6f5baf256a1b3278f

SHA256
4f815996d78ae62a5425c217a52431acf4a0f4ae8cfce8197fd34932bb7a6180

SHA512
5f1da98895c3fefb3875d829842ae3960561e743cc2e89c477c5b1e025807e8f35e6ac8733ff87e4022514605bba597d2077a7e88c8f83e4e59a5b1fa56c0734

Download Submit
memory/456-0-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/2456-22-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/2456-12-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/2456-21-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/3496-16-0x0000000003350000-0x0000000003393000-memory.dmp

Filesize
268KB

Download
memory/3496-15-0x0000000003350000-0x0000000003393000-memory.dmp

Filesize
268KB

Download
memory/3992-11-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download