adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e

General

Target

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
Size

1.1MB
MD5

771d64a701a7827fb3229f98ad3ff858
SHA1

22b487be37f13797100c3348e1c9a3a254b41abc
SHA256

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e
SHA512

662cc2147d316c4de5891f40639ede5d77caf97ea10cc2127e2b1066f286f22ada17ae0b57ab99ffd9f98e4ebbc6355cec2c8da86ebe7198a4a6bde2e33181eb

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeimages.exe

pid	process
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
316	images.exe
316	images.exe
316	images.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeadfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeimages.exeimages.exe

description	pid	process	target process
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 900 wrote to memory of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 836 wrote to memory of 1288	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	powershell.exe
PID 836 wrote to memory of 1288	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	powershell.exe
PID 836 wrote to memory of 1288	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	powershell.exe
PID 836 wrote to memory of 1288	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	powershell.exe
PID 836 wrote to memory of 316	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	images.exe
PID 836 wrote to memory of 316	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	images.exe
PID 836 wrote to memory of 316	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	images.exe
PID 836 wrote to memory of 316	836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 316 wrote to memory of 788	316	images.exe	images.exe
PID 788 wrote to memory of 1072	788	images.exe	powershell.exe
PID 788 wrote to memory of 1072	788	images.exe	powershell.exe
PID 788 wrote to memory of 1072	788	images.exe	powershell.exe
PID 788 wrote to memory of 1072	788	images.exe	powershell.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe
PID 788 wrote to memory of 1084	788	images.exe	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeimages.exe

description	pid	process	target process
PID 900 set thread context of 836	900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
PID 316 set thread context of 788	316	images.exe	images.exe

Loads dropped DLL 1 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

pid process

836 adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

316 images.exe
788 images.exe

pid	process
836	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

pid	process
316	images.exe
788	images.exe

Drops startup file 3 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeadfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AcXtrnal.url	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exeimages.exe

pid	process
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
900	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
316	images.exe
316	images.exe
316	images.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1288 powershell.exe
Token: SeDebugPrivilege 1072 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1288 powershell.exe
1288 powershell.exe
1072 powershell.exe
1072 powershell.exe
NTFS ADS 1 IoCs

Processes:

adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

description ioc process

File created C:\ProgramData:ApplicationData adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

description	pid	process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe

pid	process
1288	powershell.exe
1288	powershell.exe
1072	powershell.exe
1072	powershell.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe

C:\Users\Admin\AppData\Local\Temp\adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
"C:\Users\Admin\AppData\Local\Temp\adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe"
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of FindShellTrayWindow
PID:900

C:\Users\Admin\AppData\Local\Temp\adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe
"C:\Users\Admin\AppData\Local\Temp\adfda243fa85cb545751d4639b844332843eec5dd4d424bc973005bff84ec17e.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops startup file
- Adds Run entry to start application
- NTFS ADS
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:316

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\ProgramData\images.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_28894afa-e89a-4a0a-8d78-f7131aca2631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_498736e8-2130-4eb1-9470-fc5f4ba09eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5317ffe2-76a8-4427-a6a8-8a62f6776b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69ef7071-b224-4f05-84f6-5c30ede716a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
\ProgramData\images.exe

Download Submit
memory/316-4-0x0000000000000000-mapping.dmp

Download
memory/788-9-0x00000000000C5907-mapping.dmp

Download
memory/788-8-0x00000000000C0000-0x0000000000213000-memory.dmp

Filesize
1.3MB

Download
memory/836-0-0x0000000000080000-0x00000000001D3000-memory.dmp

Filesize
1.3MB

Download
memory/836-1-0x0000000000085907-mapping.dmp

Download
memory/1072-13-0x0000000000000000-mapping.dmp

Download
memory/1084-19-0x0000000000000000-mapping.dmp

Download
memory/1084-18-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1084-14-0x0000000000000000-mapping.dmp

Download
memory/1288-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads