99f412fce3ba59f5da3ea9cf4c6a19080e8065dc97104bece69b554a0241f629

General

Target

90c41bb16437534b1cdaaa3a0172ab47.exe
Size

818KB
MD5

a375ad4447db35a52d1aec0d3f2eb8fc
SHA1

0414ced53ad4c0eec4a0b636df80bc4d82556578
SHA256

99f412fce3ba59f5da3ea9cf4c6a19080e8065dc97104bece69b554a0241f629
SHA512

3459fcc55cddc00732abbcc4a4207ebec6e261bc78b7132ff74c004b8ab834608fe377f39940420f8fc3b36256e873eaf4d7578f2fa905bee260a141d6a59dc4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1232 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1232	cmd.exe

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

524 PING.EXE

pid	process
524	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

pid	process
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe
684	90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

description	pid	process
Token: SeBackupPrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeRestorePrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeRestorePrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	684	90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

pid process

684 90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.execmd.exenet.exe

description	pid	process	target process
PID 684 wrote to memory of 1096	684	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 684 wrote to memory of 1096	684	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 684 wrote to memory of 1096	684	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 684 wrote to memory of 1096	684	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 684 wrote to memory of 1060	684	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 684 wrote to memory of 1060	684	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 684 wrote to memory of 1060	684	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 684 wrote to memory of 1060	684	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 684 wrote to memory of 1232	684	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 684 wrote to memory of 1232	684	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 684 wrote to memory of 1232	684	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 684 wrote to memory of 1232	684	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 1232 wrote to memory of 1604	1232	cmd.exe	chcp.com
PID 1232 wrote to memory of 1604	1232	cmd.exe	chcp.com
PID 1232 wrote to memory of 1604	1232	cmd.exe	chcp.com
PID 1232 wrote to memory of 1604	1232	cmd.exe	chcp.com
PID 1060 wrote to memory of 664	1060	net.exe	net1.exe
PID 1060 wrote to memory of 664	1060	net.exe	net1.exe
PID 1060 wrote to memory of 664	1060	net.exe	net1.exe
PID 1060 wrote to memory of 664	1060	net.exe	net1.exe
PID 1232 wrote to memory of 524	1232	cmd.exe	PING.EXE
PID 1232 wrote to memory of 524	1232	cmd.exe	PING.EXE
PID 1232 wrote to memory of 524	1232	cmd.exe	PING.EXE
PID 1232 wrote to memory of 524	1232	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe
"C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\expand.exe
expand "C:\Users\Admin\AppData\Local\Temp\iot6DB3.tmp" "C:\ProgramData\Microsoft\PlayReady\MDID87B.tmp\tmx.dat"
2⤵
- Drops file in Windows directory
PID:1096

C:\Windows\SysWOW64\net.exe
net start AppMgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AppMgmt
3⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lgt6EEC.tmp.cmd
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\chcp.com
chcp 1252
3⤵
PID:1604

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\PlayReady\MDID87B.tmp\tmx.dat
MD5
91f5000430a5803fcb4149acc0d42167

SHA1
a67239b0cc73ba95551224d09b9d65d23e64388e

SHA256
0c7b58aed8b2737c945f41e9c80503acfd6182923ed816e65f624498cf8f8026

SHA512
8792ddee85b083107abe5a5fdd0fba26978ca476817ee65f0ca1d1a501c47c2bef870744fd4c3b344849163bca3481d045341d76254a1d698be0e03b8647d97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgt6EEC.tmp.cmd
MD5
b6cbab0fc9e085d2c9b3927256e0ea79

SHA1
befb821fe44dfef754c95de2fdcb3632c3f7ce9d

SHA256
2237916da299cbac56c1ff45d151de9929abafcb6cc2ab90421c91cba8ed3202

SHA512
b636ab63bd18eb7182fc6e42d4f2ec721a5a627fb1ebae11eb9b1765c26bdf3546082311435186d35ebebf5c3bb924a5018f77b5194d8e83d6e87947a52b7878

Download Submit
\??\c:\users\admin\appdata\local\temp\iot6db3.tmp
MD5
7ec37ef13e58efbb900054f8e3ab12b3

SHA1
b6113ab919d0e32018c32e3ade951871a7c6e236

SHA256
e1a5daf884950646f6c5f14d0f49034f33b316b8492af8e7cc2687f914bc0a83

SHA512
e60ea06a8bd6dfcba3df52d0fb3558fc8206d5e7492bc4cde02024b5ad08ddbe9247cf07590f21c4ce88b6f4adcd7f50c0f2bc5a09ce38025d2dbaf101280bd5

Download Submit
memory/524-8-0x0000000000000000-mapping.dmp

Download
memory/664-7-0x0000000000000000-mapping.dmp

Download
memory/1060-3-0x0000000000000000-mapping.dmp

Download
memory/1096-0-0x0000000000000000-mapping.dmp

Download
memory/1232-4-0x0000000000000000-mapping.dmp

Download
memory/1604-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads