048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

General

Target

698d49245a200364157220696c81de87.exe
Size

413KB
MD5

698d49245a200364157220696c81de87
SHA1

75798c020a7e02d49b8140c29541242e2fbfd6f8
SHA256

048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197
SHA512

07c472955f92fc333e15213177e335c37c6b377e6515e7d2201c6a52fa14034b26ce37217b4768ae872bd230d83295a3add9d46e75de5f01f016339029a1d98a

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11299.exe

pid process

2020 11299.exe
Deletes itself 1 IoCs

Processes:

11299.exe

pid process

2020 11299.exe
Loads dropped DLL 2 IoCs

Processes:

698d49245a200364157220696c81de87.exe

pid process

788 698d49245a200364157220696c81de87.exe
788 698d49245a200364157220696c81de87.exe

pid	process
2020	11299.exe

pid	process
2020	11299.exe

pid	process
788	698d49245a200364157220696c81de87.exe
788	698d49245a200364157220696c81de87.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

698d49245a200364157220696c81de87.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	698d49245a200364157220696c81de87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{0B448A1A-A7ED-4CA4-8FD3-496E22C778AD} = "C:\\ProgramData\\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\\11299.exe"	698d49245a200364157220696c81de87.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11299.exe

description pid process

Token: SeDebugPrivilege 2020 11299.exe

description	pid	process
Token: SeDebugPrivilege	2020	11299.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

698d49245a200364157220696c81de87.exe

description	pid	process	target process
PID 788 wrote to memory of 2020	788	698d49245a200364157220696c81de87.exe	11299.exe
PID 788 wrote to memory of 2020	788	698d49245a200364157220696c81de87.exe	11299.exe
PID 788 wrote to memory of 2020	788	698d49245a200364157220696c81de87.exe	11299.exe
PID 788 wrote to memory of 2020	788	698d49245a200364157220696c81de87.exe	11299.exe

C:\Users\Admin\AppData\Local\Temp\698d49245a200364157220696c81de87.exe
"C:\Users\Admin\AppData\Local\Temp\698d49245a200364157220696c81de87.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:788

C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
"C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
698d49245a200364157220696c81de87

SHA1
75798c020a7e02d49b8140c29541242e2fbfd6f8

SHA256
048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

SHA512
07c472955f92fc333e15213177e335c37c6b377e6515e7d2201c6a52fa14034b26ce37217b4768ae872bd230d83295a3add9d46e75de5f01f016339029a1d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B91F1F35505F49E79F553176
MD5
c52991ad07c9816c8eb9f21ba7841773

SHA1
5adf69bfbd2e32a68df88d5a4b706293c01b8b6f

SHA256
c8818e482dc424e12a6d0f0983decdf916640074d2718efa0ff07578d983c3ea

SHA512
7fdc39ae42bb3f6023bb5010faca26abebc683ccfacfc930ee2b979d4a2b4bf5abdd0258af96a6f112a5fe324a278045197071298c0f3d135f147cac83e8a5a9

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
698d49245a200364157220696c81de87

SHA1
75798c020a7e02d49b8140c29541242e2fbfd6f8

SHA256
048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

SHA512
07c472955f92fc333e15213177e335c37c6b377e6515e7d2201c6a52fa14034b26ce37217b4768ae872bd230d83295a3add9d46e75de5f01f016339029a1d98a

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
MD5
698d49245a200364157220696c81de87

SHA1
75798c020a7e02d49b8140c29541242e2fbfd6f8

SHA256
048b796fb78b1a11d598189410f4de21f57094d283fbebaec36fc604b1f66197

SHA512
07c472955f92fc333e15213177e335c37c6b377e6515e7d2201c6a52fa14034b26ce37217b4768ae872bd230d83295a3add9d46e75de5f01f016339029a1d98a

Download Submit
memory/788-59-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/788-64-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/788-65-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing