3864000bdce54306e787beb73fbb02642f7a539a2c255fc6e76dcbe2e685c733

General

Target

121.exe
Size

3.6MB
MD5

efb2808e93c3f53bdc896c2957cc9b87
SHA1

82fa8aa8a75a1194232ec186bb73266f7b76d56f
SHA256

3864000bdce54306e787beb73fbb02642f7a539a2c255fc6e76dcbe2e685c733
SHA512

9db24f6bac562b27512583362f00082d14aeb20a6dd10356c6fc154ef467ae1121bf317e782d017f16e7b7e8cbd1859d82494308c2bfb5b3ff5975c53c0cd6c2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

InstallUtil.exeInstallUtil.exeInstallUtil.exefile.exe

pid process

3664 InstallUtil.exe
3948 InstallUtil.exe
204 InstallUtil.exe
1632 file.exe

pid	process
3664	InstallUtil.exe
3948	InstallUtil.exe
204	InstallUtil.exe
1632	file.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\file = "C:\\Users\\Admin\\Documents\\file.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

121.exeInstallUtil.exeInstallUtil.exe

description	pid	process	target process
PID 1156 set thread context of 3664	1156	121.exe	InstallUtil.exe
PID 3664 set thread context of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3948 set thread context of 204	3948	InstallUtil.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

121.exeInstallUtil.exeInstallUtil.exeInstallUtil.exe

pid	process
1156	121.exe
1156	121.exe
3664	InstallUtil.exe
3664	InstallUtil.exe
3948	InstallUtil.exe
3948	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe
204	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

121.exeInstallUtil.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1156	121.exe
Token: SeDebugPrivilege	3664	InstallUtil.exe
Token: SeDebugPrivilege	3948	InstallUtil.exe
Token: SeDebugPrivilege	204	InstallUtil.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

121.exeInstallUtil.exeInstallUtil.exeInstallUtil.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 1156 wrote to memory of 3664	1156	121.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3664 wrote to memory of 3948	3664	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 3948 wrote to memory of 204	3948	InstallUtil.exe	InstallUtil.exe
PID 204 wrote to memory of 3052	204	InstallUtil.exe	cmd.exe
PID 204 wrote to memory of 3052	204	InstallUtil.exe	cmd.exe
PID 204 wrote to memory of 3052	204	InstallUtil.exe	cmd.exe
PID 3052 wrote to memory of 2040	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 2040	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 2040	3052	cmd.exe	reg.exe
PID 204 wrote to memory of 1632	204	InstallUtil.exe	file.exe
PID 204 wrote to memory of 1632	204	InstallUtil.exe	file.exe
PID 204 wrote to memory of 1632	204	InstallUtil.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\121.exe
"C:\Users\Admin\AppData\Local\Temp\121.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "file" /t REG_SZ /d "C:\Users\Admin\Documents\file.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "file" /t REG_SZ /d "C:\Users\Admin\Documents\file.exe"
6⤵
- Adds Run key to start application
PID:2040

C:\Users\Admin\Documents\file.exe
"C:\Users\Admin\Documents\file.exe"
5⤵
- Executes dropped EXE
PID:1632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
MD5
c820f09a0724473fd6684dd8b9c64fb1

SHA1
942b2f32ba228d7b94dbcf4ab070a42dc9f32e2e

SHA256
7e1b78804f89cd762348a40693f64baa0a4b862eddfc0b9d2cc76468800bd1cf

SHA512
d13768677837673826302113e280bb1e9241b0000028e0709bc07fa59dce393ed9f828aa761349e89c0ebedfbac78723dac376bb00b0e2b8707b2379163ce907

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\Documents\file.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\Documents\file.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/204-40-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/204-38-0x000000000045C4DE-mapping.dmp

Download
memory/204-37-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1156-10-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1156-5-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1156-3-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1156-2-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1156-9-0x0000000004CF0000-0x0000000004CFB000-memory.dmp

Filesize
44KB

Download
memory/1156-8-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/1156-7-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/1156-6-0x0000000000EE0000-0x0000000000EFE000-memory.dmp

Filesize
120KB

Download
memory/1632-54-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1632-53-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1632-52-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-49-0x0000000000000000-mapping.dmp

Download
memory/2040-48-0x0000000000000000-mapping.dmp

Download
memory/3052-47-0x0000000000000000-mapping.dmp

Download
memory/3664-15-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-12-0x00000000005E59CE-mapping.dmp

Download
memory/3664-16-0x0000000000600000-0x00000000007EA000-memory.dmp

Filesize
1.9MB

Download
memory/3948-28-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3948-25-0x00000000004E2CAE-mapping.dmp

Download
memory/3948-24-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads