5784eef61ea7f9ef95d9559eb8b55b5edf0a362413b4fa9e391de62a9ee5c278

General

Target

TaskMachineNet.exe
Size

4.6MB
MD5

0f20f935559294d2088cfab26843e408
SHA1

85ac819478d1965c134041dfbd4973c0c2335d09
SHA256

5784eef61ea7f9ef95d9559eb8b55b5edf0a362413b4fa9e391de62a9ee5c278
SHA512

bc2a9ae95bfe7e8427dc0961a0d892de8bec64cece3470e7030c4a291d503f189d25e04dd14ca70df00c79ae7356832447c61e1e1a53f248e583b2705f0cbc0a

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

TaskMachineNet.tmpwinconSeMg.exewinconSe.exe

pid process

3540 TaskMachineNet.tmp
184 winconSeMg.exe
3272 winconSe.exe

pid	process
3540	TaskMachineNet.tmp
184	winconSeMg.exe
3272	winconSe.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe	upx
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winconSeMg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winconSeMg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinServiceSup = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinServiceSup\\winconSeMg.exe\" mg"	winconSeMg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 2 IoCs

Processes:

winconSe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	winconSe.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	winconSe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TaskMachineNet.tmp

pid process

3540 TaskMachineNet.tmp
3540 TaskMachineNet.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

TaskMachineNet.tmp

pid process

3540 TaskMachineNet.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winconSeMg.exewinconSe.exe

pid process

184 winconSeMg.exe
3272 winconSe.exe

pid	process
3540	TaskMachineNet.tmp
3540	TaskMachineNet.tmp

pid	process
3540	TaskMachineNet.tmp

pid	process
184	winconSeMg.exe
3272	winconSe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

TaskMachineNet.exeTaskMachineNet.tmpwinconSeMg.exe

description	pid	process	target process
PID 2484 wrote to memory of 3540	2484	TaskMachineNet.exe	TaskMachineNet.tmp
PID 2484 wrote to memory of 3540	2484	TaskMachineNet.exe	TaskMachineNet.tmp
PID 2484 wrote to memory of 3540	2484	TaskMachineNet.exe	TaskMachineNet.tmp
PID 3540 wrote to memory of 184	3540	TaskMachineNet.tmp	winconSeMg.exe
PID 3540 wrote to memory of 184	3540	TaskMachineNet.tmp	winconSeMg.exe
PID 3540 wrote to memory of 184	3540	TaskMachineNet.tmp	winconSeMg.exe
PID 3540 wrote to memory of 2896	3540	TaskMachineNet.tmp	cmd.exe
PID 3540 wrote to memory of 2896	3540	TaskMachineNet.tmp	cmd.exe
PID 3540 wrote to memory of 2896	3540	TaskMachineNet.tmp	cmd.exe
PID 184 wrote to memory of 3272	184	winconSeMg.exe	winconSe.exe
PID 184 wrote to memory of 3272	184	winconSeMg.exe	winconSe.exe
PID 184 wrote to memory of 3272	184	winconSeMg.exe	winconSe.exe

C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe
"C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp" /SL5="$2011C,4083020,780288,C:\Users\Admin\AppData\Local\Temp\TaskMachineNet.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe
"C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe" install
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:184

C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe
"C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe"
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat""
3⤵
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat
MD5
5c1b6223dfd392ba6ff136c291491dfb

SHA1
5d13bcda332b97ca28d67bddf651b606ef642eec

SHA256
9305e990af2b887afa220d3427929a0dce88b69c7aa265f6e6d327af2a90087a

SHA512
d51daeb4f9b02e7b4ced08537b0c49c7e12fc616e07d394b18ab5b875528fe6050b547b0a00d5108a9ec123d070f953d1a1a0de430ba11881cfa3d646d932e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp
MD5
650e4a62107fb4b96626daa3b7b1ff33

SHA1
eec6d946f9c4b6d3ae2670b49d50aa209898da44

SHA256
ab5819e9008109fca8ca5122c62f6b77c86b494903de6f768e84c0b9e3a13669

SHA512
49f89aa91a058d4cc3013d256387135ef26055b6163c7349d9e665cd3869fe5a8ca62720481f81db721d13ce6af1c1991df1be55531ef317d6bba8434209ff90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GRBBG.tmp\TaskMachineNet.tmp
MD5
650e4a62107fb4b96626daa3b7b1ff33

SHA1
eec6d946f9c4b6d3ae2670b49d50aa209898da44

SHA256
ab5819e9008109fca8ca5122c62f6b77c86b494903de6f768e84c0b9e3a13669

SHA512
49f89aa91a058d4cc3013d256387135ef26055b6163c7349d9e665cd3869fe5a8ca62720481f81db721d13ce6af1c1991df1be55531ef317d6bba8434209ff90

Download Submit
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe
MD5
3f12ea2db4cd4f5845fd4a365e1fda55

SHA1
cb01ca598505d465ee5f72544467fc18a08e4a50

SHA256
5b99fd8eb7cae1074be00f6d03620eaeeea071a6faa51bfbf76dc2e5ab7216ab

SHA512
03415d947ceffbedcbd7f996e32d0b03e771e36f55ff1e262b74ee8a7dd3f2e6596997892f53476b7f17fe07da967252a39563652b4cf0d94835416eca3a9588

Download Submit
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSe.exe
MD5
3f12ea2db4cd4f5845fd4a365e1fda55

SHA1
cb01ca598505d465ee5f72544467fc18a08e4a50

SHA256
5b99fd8eb7cae1074be00f6d03620eaeeea071a6faa51bfbf76dc2e5ab7216ab

SHA512
03415d947ceffbedcbd7f996e32d0b03e771e36f55ff1e262b74ee8a7dd3f2e6596997892f53476b7f17fe07da967252a39563652b4cf0d94835416eca3a9588

Download Submit
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe
MD5
f835b41c6c9040ff04d9987c09116327

SHA1
eafb2f7e7bd55580c561ef22ae2ed9672ed9c3a7

SHA256
8deb8f1bd3d1cbe822956492234313cbd7505aa4e865b3302388ecf53bfaed7e

SHA512
f9ff76acd7293f1916074f4dd656ae7f3727799da0135d5e756c18df63cac0d4dfc5ba41906a5f8e7de688e6a657c4f321293ac883a1eed68d539b187332f547

Download Submit
C:\Users\Admin\AppData\Roaming\WinServiceSup\winconSeMg.exe
MD5
f835b41c6c9040ff04d9987c09116327

SHA1
eafb2f7e7bd55580c561ef22ae2ed9672ed9c3a7

SHA256
8deb8f1bd3d1cbe822956492234313cbd7505aa4e865b3302388ecf53bfaed7e

SHA512
f9ff76acd7293f1916074f4dd656ae7f3727799da0135d5e756c18df63cac0d4dfc5ba41906a5f8e7de688e6a657c4f321293ac883a1eed68d539b187332f547

Download Submit
memory/184-3-0x0000000000000000-mapping.dmp

Download
memory/2896-5-0x0000000000000000-mapping.dmp

Download
memory/3272-8-0x0000000000000000-mapping.dmp

Download
memory/3540-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads