1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3 | Triage

Analysis

max time kernel
153s
max time network
160s
platform
windows7_x64
resource
win7v200722
submitted
29-07-2020 07:17

Sharing

Report Analysis Logs

General

Target

1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Size

172KB
MD5

169aaafbcc45bcc0ad01ccf74df8f5a8
SHA1

e8e922317325d2527ef75a35d16407d5f671f6cb
SHA256

1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3
SHA512

f4f4dc28aae507535d5b71fb092a2e9e0a0e3a3e463f9e17a9dee4214655bfb2900ec6b6eb0b8453418f0ae3bd51c2c2d08638baac0d8ce3f1cfeb43b8759461

Score

8^/10

discovery persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1896	1848	taskeng.exe	27
PID 1848 wrote to memory of 1896	1848	taskeng.exe	27
PID 1848 wrote to memory of 1896	1848	taskeng.exe	27
PID 1848 wrote to memory of 1896	1848	taskeng.exe	27

Executes dropped EXE 1 IoCs

pid	Process
1896	TtADeDpGO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\1	TtADeDpGO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2 = eb70b2fa36a335692b997ca3953500c1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662e6b035c4260593847590b5382f0d5be8f4beb996f7ae232c711371fae6c5dcd1c90db207ca2f843560e669d5ccd01a329d1c54dadcd87f6e7686e7bec7e35963bf9016b408ae46b7c59975f4c8951d18	TtADeDpGO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2 = eb70b2fa36a335692b997ca3953500c1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662d2cb47150f35e90a7372aded0d95040ebdff53e8d4c80adb1d11edc16393a127c90db207ca2f843560e669d5ccd01a329d1c54dadcd87f6e7686e7bec7e35963896ad7f9aaa6edd93de9e7fbabd766e3	TtADeDpGO.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\1	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2 = 5c0468034c8ed7d1fb5931e320e08fb1fb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b662654567901f29d39f584c4860738e8e7b53d18c141170f842a013b8f922d3da5094ad5fa131dc480b7373a8e6bf72fccdf30c56811dc4921eb075bcdd32de75f77839cff56aa3e161f7e47f07c4ee13cb	TtADeDpGO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\ = 3d30f8281f3ccbac94ec92878994cdd08c44e14892b0e350f2756b0bf6ee9b37f52b6854010c671450a959ce2bac7f959b17097079fd61c8557ccf562012001bb2062580e39dce98ae6ec37e95759bb985b5c4649ee74664613ea8f1d1026c9b08303189d9615a40446056689c4c4d10993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c0993d4df58cb57e3012c10aeae7d211c07b418ca35bf471396d18358f04cd7aef	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2 = 5994605e8ba2ca74c81f0f832fea4e8ffb547dcd69e6b0b3770ef689c51facdbdebbe22c33df21d422b2eeb936d6baf01f399525b4b98a65d00f1ccb1037e5ecf2c138041ead73561b376cc64db280041f97d04e95c54ab8010d96342670ec4363963e23e04b59fb4fdf43c9921e38fd4c5681e96e6e90a7d12510701b9d5a3a7aaf5f416fef0b364f2a8b738724b6626b1b531ea19e847631619cdae4f0a07455947804280bc70b4af9769ae26e3b0bceae73dc70a5d9033e584c2c71f63d8c71002952a1955999d41dbae5eb07188d251944545a12cfd5410b9885093b6771	TtADeDpGO.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\1 = 7872dc8d3f70f0457764f6f2aff6bf29fb78ceff5c486c9d1fff2ccc6482b7500e9d834ec7f3271e1cafb4da9a9a489a5a4eaf712e3cbe57fc3c533ceca782582d36f6246acf3410c402f74ca5c8919f4eef959e5175cb1a66d6f6d2932486070d6b8f86a54f9656fba84fac487108e2d0d98e8e0e41293696bb4cd8f83f3b06a7483f14424d44392c6b46024333f2a30cb6667ba3cb19a1720ec47c1765c6c88a4161b272a180360cd9850587322c27284300f2df68895bd6f0fd90f997982ec6097f04e5a7ee6493ba5e4be8185d5138d794ae90d810b3e115889bef2d9d1b84beafda0c1c156c1a7439b9d7590552a794a7df35ef3975a7fb70f5ba16635ff5cce8d68135c9d1769e03760267527a28d6e3179659ea4038cb662166a15c8553d73868113c70ee91d1248df841a912	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\0 = 389d53f6c649e18b0d55bab2a5ff2b15fc746104c2619e99e5a764028ed27905a68499aab758ac3e5ca8eeef7294e605db317e2f8280e9fe900eb1a4baf201baa6ebdb20a337cb44ccea61f7c5d1c37c4999834689c3ab46bc3159b2c67a00408b321d05ad836ae76dfe74dbeeb3d709f1758921f50d5a65684d8a0afa3235ddfc46bf9bc54c5d3c333583e4803964228d99060fdf1121890c4374c9f42a207597fba7928702575ed2fded485c178078f931419447629265df1c8885e526aed94d7de5cc98cb55007b7ccba2c385bae3a5ceda9c91664693642aabe91a308fcbbfa48615d2eda6ad9de749090101b5da9ce7f89f3a68b7f77c7dc0d2f1642a00497cea18d9d36923791b05d321cde362c404da6132284d9332cc533fa4fa694fe078845f7fb3658930b5e7fbe8d1f508f769f657acc1fc898300315b34655cec3aff8a73a2389e836e28da7c39fbc861	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID	TtADeDpGO.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\CLSID\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A}\2	TtADeDpGO.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{FF241BFD-ACA1-2E20-25F8-1DBD94BD8F0A} = "C:\\Users\\Admin\\AppData\\Roaming\\ZeVEgNqF\\oqNBEsBn\\LDIQpmFW\\TtADeDpGO.exe"	1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe

C:\Users\Admin\AppData\Local\Temp\1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe
"C:\Users\Admin\AppData\Local\Temp\1369d06d493f805f55b4062437cfbcd9abec14c5ccb43189a0820bae280297e3.exe"
1⤵
- Modifies registry class
- Adds Run key to start application
PID:336

C:\Windows\system32\taskeng.exe
taskeng.exe {9EEA5741-3B61-407E-BC7D-3AE1359B1427} S-1-5-21-2090973689-680783404-4292415065-1000:UCQFZDUI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Roaming\ZeVEgNqF\oqNBEsBn\LDIQpmFW\TtADeDpGO.exe
  C:\Users\Admin\AppData\Roaming\ZeVEgNqF\oqNBEsBn\LDIQpmFW\TtADeDpGO.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads