87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5

General

Target

8b95e282a3fefcee4d094d127f67c9e4.exe
Size

401KB
MD5

8b95e282a3fefcee4d094d127f67c9e4
SHA1

916dcb8bded24f04f3c9dad9d5371495a2b8e6a9
SHA256

87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5
SHA512

8e265c4861f9d10dbbb1cdbaa93d8e698371908835f3ba2554eb8d1b03b9f5955f1ca09219cc99efeccf708c20f605ffb5154c10e3a686a7c538d2e0699bf487

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11299.exe

pid process

2024 11299.exe
Deletes itself 1 IoCs

Processes:

11299.exe

pid process

2024 11299.exe
Loads dropped DLL 2 IoCs

Processes:

8b95e282a3fefcee4d094d127f67c9e4.exe

pid process

1684 8b95e282a3fefcee4d094d127f67c9e4.exe
1684 8b95e282a3fefcee4d094d127f67c9e4.exe

pid	process
2024	11299.exe

pid	process
2024	11299.exe

pid	process
1684	8b95e282a3fefcee4d094d127f67c9e4.exe
1684	8b95e282a3fefcee4d094d127f67c9e4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8b95e282a3fefcee4d094d127f67c9e4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8b95e282a3fefcee4d094d127f67c9e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{0B448A1A-A7ED-4CA4-8FD3-496E22C778AD} = "C:\\ProgramData\\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\\11299.exe"	8b95e282a3fefcee4d094d127f67c9e4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11299.exe

description pid process

Token: SeDebugPrivilege 2024 11299.exe

description	pid	process
Token: SeDebugPrivilege	2024	11299.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8b95e282a3fefcee4d094d127f67c9e4.exe

description	pid	process	target process
PID 1684 wrote to memory of 2024	1684	8b95e282a3fefcee4d094d127f67c9e4.exe	11299.exe
PID 1684 wrote to memory of 2024	1684	8b95e282a3fefcee4d094d127f67c9e4.exe	11299.exe
PID 1684 wrote to memory of 2024	1684	8b95e282a3fefcee4d094d127f67c9e4.exe	11299.exe
PID 1684 wrote to memory of 2024	1684	8b95e282a3fefcee4d094d127f67c9e4.exe	11299.exe

C:\Users\Admin\AppData\Local\Temp\8b95e282a3fefcee4d094d127f67c9e4.exe
"C:\Users\Admin\AppData\Local\Temp\8b95e282a3fefcee4d094d127f67c9e4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe
  "C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe

MD5
8b95e282a3fefcee4d094d127f67c9e4

SHA1
916dcb8bded24f04f3c9dad9d5371495a2b8e6a9

SHA256
87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5

SHA512
8e265c4861f9d10dbbb1cdbaa93d8e698371908835f3ba2554eb8d1b03b9f5955f1ca09219cc99efeccf708c20f605ffb5154c10e3a686a7c538d2e0699bf487

Download Submit
C:\Users\Admin\AppData\Local\Temp\B91F1F35505F49E79F553176

MD5
4e5ba64c936f250a1275ac219802699a

SHA1
b4571ebc77d197b44be0fe77c66ec3722e1555a0

SHA256
8f5fb551d16ca3c7e470ff784fc6af53ad4afce022063428008ae6049207a8db

SHA512
55021dd49691d1f797268a039ce49ff69c3fee146f2b31cbf1b4e3edfcb9701b074417c09d4ba65f8daa028eed6a60fa80f3d63a62be73d58f0ea3509ff32b40

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe

MD5
8b95e282a3fefcee4d094d127f67c9e4

SHA1
916dcb8bded24f04f3c9dad9d5371495a2b8e6a9

SHA256
87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5

SHA512
8e265c4861f9d10dbbb1cdbaa93d8e698371908835f3ba2554eb8d1b03b9f5955f1ca09219cc99efeccf708c20f605ffb5154c10e3a686a7c538d2e0699bf487

Download Submit
\ProgramData\{7C068637-88A8-4D31-BDD6-3DD62F336A77}\11299.exe

MD5
8b95e282a3fefcee4d094d127f67c9e4

SHA1
916dcb8bded24f04f3c9dad9d5371495a2b8e6a9

SHA256
87fce4a9bf5b5a94b0a722c3061fd931a2fadd301880801b64a1e78d79bb67c5

SHA512
8e265c4861f9d10dbbb1cdbaa93d8e698371908835f3ba2554eb8d1b03b9f5955f1ca09219cc99efeccf708c20f605ffb5154c10e3a686a7c538d2e0699bf487

Download Submit
memory/1684-60-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/1684-61-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1684-62-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/2024-65-0x0000000000000000-mapping.dmp

Download
memory/2024-70-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing