a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1

General

Target

e533bf0348f9a5c018fc4eaea2b4138d.exe
Size

440KB
MD5

e533bf0348f9a5c018fc4eaea2b4138d
SHA1

17d0fd9f96bf5759997197237deedbd37cad3c15
SHA256

a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1
SHA512

a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11299.exe

pid process

664 11299.exe
Deletes itself 1 IoCs

Processes:

11299.exe

pid process

664 11299.exe
Loads dropped DLL 2 IoCs

Processes:

e533bf0348f9a5c018fc4eaea2b4138d.exe

pid process

1848 e533bf0348f9a5c018fc4eaea2b4138d.exe
1848 e533bf0348f9a5c018fc4eaea2b4138d.exe

pid	process
664	11299.exe

pid	process
664	11299.exe

pid	process
1848	e533bf0348f9a5c018fc4eaea2b4138d.exe
1848	e533bf0348f9a5c018fc4eaea2b4138d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e533bf0348f9a5c018fc4eaea2b4138d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	e533bf0348f9a5c018fc4eaea2b4138d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{0B448A1A-A7ED-4CA4-8FD3-496E22C778AD} = "C:\\ProgramData\\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\\11299.exe"	e533bf0348f9a5c018fc4eaea2b4138d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11299.exe

description pid process

Token: SeDebugPrivilege 664 11299.exe

description	pid	process
Token: SeDebugPrivilege	664	11299.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e533bf0348f9a5c018fc4eaea2b4138d.exe

description	pid	process	target process
PID 1848 wrote to memory of 664	1848	e533bf0348f9a5c018fc4eaea2b4138d.exe	11299.exe
PID 1848 wrote to memory of 664	1848	e533bf0348f9a5c018fc4eaea2b4138d.exe	11299.exe
PID 1848 wrote to memory of 664	1848	e533bf0348f9a5c018fc4eaea2b4138d.exe	11299.exe
PID 1848 wrote to memory of 664	1848	e533bf0348f9a5c018fc4eaea2b4138d.exe	11299.exe

C:\Users\Admin\AppData\Local\Temp\e533bf0348f9a5c018fc4eaea2b4138d.exe
"C:\Users\Admin\AppData\Local\Temp\e533bf0348f9a5c018fc4eaea2b4138d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848

C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
"C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:664

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
e533bf0348f9a5c018fc4eaea2b4138d

SHA1
17d0fd9f96bf5759997197237deedbd37cad3c15

SHA256
a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1

SHA512
a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B91F1F35505F49E79F553176
MD5
4d8afa43b39a0ca1af1a8442c575af63

SHA1
aeae417fb0795e23cf1a1f04696072f6c2f998ac

SHA256
4c0818d272b71aa2c721a5003a0b69cfa0d37610860ff525df5303f366a97db4

SHA512
db1446e73ced316f95c33a984b4ff8d2578e3652b9ededa7fd0f3950d687d8011f4005b72d297e65db700b7172c439424c36a0a8f21e0e8e0e58d0107130d58a

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
e533bf0348f9a5c018fc4eaea2b4138d

SHA1
17d0fd9f96bf5759997197237deedbd37cad3c15

SHA256
a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1

SHA512
a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
e533bf0348f9a5c018fc4eaea2b4138d

SHA1
17d0fd9f96bf5759997197237deedbd37cad3c15

SHA256
a7d4ad5e6eedf5be0ad6f9ffc704827b7c1e9aeb12d440c847031af8d4d1f7b1

SHA512
a5483525cc05208cf506b4af2313e49c16896c33903210a9d3975b78e00af825bfe6d73e57ca69aeb300d2bd2a1d47ce3ee6394c4eaf422b7aaa5ff97a0fbef3

Download Submit
memory/664-65-0x0000000000000000-mapping.dmp

Download
memory/664-70-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1848-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1848-61-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/1848-62-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing