acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e

General

Target

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe
Size

32KB
MD5

7c18f2fbf9ebcb78c6cb3bd7ff979121
SHA1

f6e860b1915df914e0ccd795a8e77fd156610715
SHA256

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e
SHA512

9e5406953812d0b5027415d259e4c4f7da54b8c3b67f5ef176df7efa69456ca2c49c240a419d4d5f8d6506a90d237f1e6fe1373fdb44930892ac79567646b626

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
1988	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\W32Time = "C:\\Users\\Admin\\AppData\\Local\\W32Time.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1364 regedit.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

pid process

1348 acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

pid	process
1364	regedit.exe

pid	process
1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

description	pid	process	target process
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1364	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 1348 wrote to memory of 1988	1348	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe
"C:\Users\Admin\AppData\Local\Temp\acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd /c a.bat
2⤵
- Deletes itself
PID:1988

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat
MD5
34fd34f489afdedabc6316e5e6f19b69

SHA1
e53e52f5e3d1919835ff62c90b6b0e1c67f3cbee

SHA256
e4d500c109d16c2b781cf7ad15dcbc25d863a82e0488b250a92060c9e0490703

SHA512
1a8b312b8cfe120d8b18b555438840582f4a759c569c132be1007aaf28d2c88c3d78ff9f45d46263e28d1b0853af53e97c0c37f0fc968bf65347e192b4655bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
MD5
b208d2096068d5f7bbce9e8f94658bee

SHA1
8a61e6f353f08bc2c1a6a3dfb3d027ea4d3d33e2

SHA256
84d8c5629167d263d597ee78d195927e0776d3cf441bcd8ea70d308c62bbaadd

SHA512
143fd96688024af6d5096e97dfd0ddafb7514cf577df43bb4ae4c82e851dac4ce1b8fce0d3955907721268d1d1dd70826455d0d114dce42d17e27b9d4ccff20b

Download Submit
C:\Users\Admin\AppData\Local\W32Time.exe.tmp1
MD5
0643fa1360d08ef54c18ed7542f6c7b2

SHA1
e70c2971ce777c1b39398d9183dc6c11eb6fb54b

SHA256
80e3f1056bf1aca9726e451c891d0dbd33350ba79f7969b8b65ebb65d07e7280

SHA512
453b6d19b04fbb2901e3eddfbb04f323b4cbe627a948c62c9b3a418fc298b0c40bc80ce661df0d8a821899a818ab70668a7223058d020838d0275acc1430f0da

Download Submit
memory/1348-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1364-61-0x0000000000000000-mapping.dmp

Download
memory/1988-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing