5debeda2835def4c4f135d47aa5fc9d0ef39d5193e50a85b690332db62a8cafe

General

Target

d9cbb1b75b2ec76764fa80ef4ff42382.exe
Size

827KB
MD5

d9cbb1b75b2ec76764fa80ef4ff42382
SHA1

fc2c102ad05eda02088f21426a03257b095aab51
SHA256

5debeda2835def4c4f135d47aa5fc9d0ef39d5193e50a85b690332db62a8cafe
SHA512

ab8c5f63c39ed404e9ad28731107ad9405295207f80f2b8b2d7bc6b641da67400c29978845fcf97c6aed3981f5714c2f355c1dc40d1294b9a53185792458c5be

Score

8^/10

persistence

Adds Run key to start application 2 TTPs 4 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

REG.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\cred = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\cred.dll, Main"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\scr = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\scr.dll, Main"	REG.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

500 schtasks.exe

pid	process
500	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d9cbb1b75b2ec76764fa80ef4ff42382.exebdif.execmd.exe

description	pid	process	target process
PID 728 wrote to memory of 852	728	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 728 wrote to memory of 852	728	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 728 wrote to memory of 852	728	d9cbb1b75b2ec76764fa80ef4ff42382.exe	bdif.exe
PID 852 wrote to memory of 1156	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1156	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1156	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1232	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 1232	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 1232	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 1536	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1536	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1536	852	bdif.exe	REG.exe
PID 852 wrote to memory of 1588	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 1588	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 1588	852	bdif.exe	rundll32.exe
PID 852 wrote to memory of 3124	852	bdif.exe	cmd.exe
PID 852 wrote to memory of 3124	852	bdif.exe	cmd.exe
PID 852 wrote to memory of 3124	852	bdif.exe	cmd.exe
PID 852 wrote to memory of 2184	852	bdif.exe	REG.exe
PID 852 wrote to memory of 2184	852	bdif.exe	REG.exe
PID 852 wrote to memory of 2184	852	bdif.exe	REG.exe
PID 3124 wrote to memory of 500	3124	cmd.exe	schtasks.exe
PID 3124 wrote to memory of 500	3124	cmd.exe	schtasks.exe
PID 3124 wrote to memory of 500	3124	cmd.exe	schtasks.exe

Executes dropped EXE 1 IoCs

Processes:

bdif.exe

pid process

852 bdif.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1232 rundll32.exe
1588 rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1232 rundll32.exe
1232 rundll32.exe
1232 rundll32.exe
1232 rundll32.exe
Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

3 1232 rundll32.exe
7 1588 rundll32.exe
NTFS ADS 1 IoCs

Processes:

d9cbb1b75b2ec76764fa80ef4ff42382.exe

description ioc process

File created \??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier d9cbb1b75b2ec76764fa80ef4ff42382.exe

pid	process
852	bdif.exe

pid	process
1232	rundll32.exe
1588	rundll32.exe

flow	pid	process
3	1232	rundll32.exe
7	1588	rundll32.exe

description	ioc	process
File created	\??\c:\programdata\1321ba6d1f\bdif.exe:Zone.Identifier	d9cbb1b75b2ec76764fa80ef4ff42382.exe

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v cred /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\cred.dll, Main"
3⤵
- Adds Run key to start application
PID:1156

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v scr /t REG_SZ /d "rundll32 C:\Users\Admin\AppData\Local\Temp\scr.dll, Main"
3⤵
- Adds Run key to start application
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /SC HOURLY /MO 1 /TN a174c1ef10e2077451f5b6dda83242a1 /TR c:\programdata\1321ba6d1f\bdif.exe
4⤵
- Creates scheduled task(s)
PID:500

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d c:\programdata\1321ba6d1f
3⤵
PID:2184