99f412fce3ba59f5da3ea9cf4c6a19080e8065dc97104bece69b554a0241f629

General

Target

90c41bb16437534b1cdaaa3a0172ab47.exe
Size

818KB
MD5

a375ad4447db35a52d1aec0d3f2eb8fc
SHA1

0414ced53ad4c0eec4a0b636df80bc4d82556578
SHA256

99f412fce3ba59f5da3ea9cf4c6a19080e8065dc97104bece69b554a0241f629
SHA512

3459fcc55cddc00732abbcc4a4207ebec6e261bc78b7132ff74c004b8ab834608fe377f39940420f8fc3b36256e873eaf4d7578f2fa905bee260a141d6a59dc4

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1248 PING.EXE

pid	process
1248	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

pid	process
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe
1112	90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

description	pid	process
Token: SeBackupPrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeRestorePrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeRestorePrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe
Token: SeBackupPrivilege	1112	90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exe

pid process

1112 90c41bb16437534b1cdaaa3a0172ab47.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

90c41bb16437534b1cdaaa3a0172ab47.exenet.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1940	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 1112 wrote to memory of 1940	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 1112 wrote to memory of 1940	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	expand.exe
PID 1112 wrote to memory of 1888	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 1112 wrote to memory of 1888	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 1112 wrote to memory of 1888	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	net.exe
PID 1112 wrote to memory of 500	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 1112 wrote to memory of 500	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 1112 wrote to memory of 500	1112	90c41bb16437534b1cdaaa3a0172ab47.exe	cmd.exe
PID 1888 wrote to memory of 2772	1888	net.exe	net1.exe
PID 1888 wrote to memory of 2772	1888	net.exe	net1.exe
PID 1888 wrote to memory of 2772	1888	net.exe	net1.exe
PID 500 wrote to memory of 1348	500	cmd.exe	chcp.com
PID 500 wrote to memory of 1348	500	cmd.exe	chcp.com
PID 500 wrote to memory of 1348	500	cmd.exe	chcp.com
PID 500 wrote to memory of 1248	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 1248	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 1248	500	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe
"C:\Users\Admin\AppData\Local\Temp\90c41bb16437534b1cdaaa3a0172ab47.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\expand.exe
expand "C:\Users\Admin\AppData\Local\Temp\iot870A.tmp" "C:\ProgramData\Microsoft\PlayReady\MDIC8C3.tmp\tmx.dat"
2⤵
- Drops file in Windows directory
PID:1940

C:\Windows\SysWOW64\net.exe
net start AppMgmt
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start AppMgmt
3⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lgt8843.tmp.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\SysWOW64\chcp.com
chcp 1252
3⤵
PID:1348

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
3⤵
- Runs ping.exe
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\PlayReady\MDIC8C3.tmp\tmx.dat
MD5
91f5000430a5803fcb4149acc0d42167

SHA1
a67239b0cc73ba95551224d09b9d65d23e64388e

SHA256
0c7b58aed8b2737c945f41e9c80503acfd6182923ed816e65f624498cf8f8026

SHA512
8792ddee85b083107abe5a5fdd0fba26978ca476817ee65f0ca1d1a501c47c2bef870744fd4c3b344849163bca3481d045341d76254a1d698be0e03b8647d97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgt8843.tmp.cmd
MD5
741e5499bf07650c6e8ef1f3f9842c45

SHA1
ccdbecb12b9bc5d72274a8e64f42feef17d74017

SHA256
4c6b8bdec940143c89c4213f51598f0f68614b9535289f410ff154f71e66dc9c

SHA512
cb563f0b7da21ea402d202373b7d179521be667717e0f56cc39f7f3c32fbf963d61c0b9bf2875835ff2590ea33c6f1610da0166b25867ba16668967d6eb5646f

Download Submit
\??\c:\users\admin\appdata\local\temp\iot870a.tmp
MD5
7ec37ef13e58efbb900054f8e3ab12b3

SHA1
b6113ab919d0e32018c32e3ade951871a7c6e236

SHA256
e1a5daf884950646f6c5f14d0f49034f33b316b8492af8e7cc2687f914bc0a83

SHA512
e60ea06a8bd6dfcba3df52d0fb3558fc8206d5e7492bc4cde02024b5ad08ddbe9247cf07590f21c4ce88b6f4adcd7f50c0f2bc5a09ce38025d2dbaf101280bd5

Download Submit
memory/500-4-0x0000000000000000-mapping.dmp

Download
memory/1248-8-0x0000000000000000-mapping.dmp

Download
memory/1348-7-0x0000000000000000-mapping.dmp

Download
memory/1888-3-0x0000000000000000-mapping.dmp

Download
memory/1940-0-0x0000000000000000-mapping.dmp

Download
memory/2772-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads