acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e

General

Target

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe
Size

32KB
MD5

7c18f2fbf9ebcb78c6cb3bd7ff979121
SHA1

f6e860b1915df914e0ccd795a8e77fd156610715
SHA256

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e
SHA512

9e5406953812d0b5027415d259e4c4f7da54b8c3b67f5ef176df7efa69456ca2c49c240a419d4d5f8d6506a90d237f1e6fe1373fdb44930892ac79567646b626

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1216 regedit.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

pid process

3176 acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

pid	process
1216	regedit.exe

pid	process
3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe

description	pid	process	target process
PID 3176 wrote to memory of 1216	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 3176 wrote to memory of 1216	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 3176 wrote to memory of 1216	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	regedit.exe
PID 3176 wrote to memory of 2180	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 3176 wrote to memory of 2180	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe
PID 3176 wrote to memory of 2180	3176	acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe
"C:\Users\Admin\AppData\Local\Temp\acd57ee03a2b23bcddf23aebfdd27c6c06829fa4e0d3b8b9f913455a23c4ed7e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c a.bat
  2⤵
  PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.bat

MD5
2d10dd235c538ea1b019ae05e89d812c

SHA1
815a72042573a992935c75f159b0fa291ccc49a0

SHA256
403434524aa643d010abde67414dcfadd33773e374d193a663a45b68528af06f

SHA512
0cbf14c0f8590ec20db30760cce6f61dcc1ffd53ab67d86c48f8daea484aaff341bf77ea50a99f2b577933db4901d820f5c0925df85f808492bac6d0ab10333d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

MD5
f44153ef26be29552cf320325ad8b72e

SHA1
74ac72ba2ff0f871e59b11c95ad707372662370c

SHA256
767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f

SHA512
1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

Download Submit
C:\Users\Admin\AppData\Local\WinHttp.exe.tmp1

MD5
3aabf8e5a75b0d49747c0c5216e953e6

SHA1
518a578d4f46e18c72a64d7f40a6a17243c5a4ef

SHA256
e08be20ca135324d7def56349bbdf20d3d34156a783f48f3ec397ce32d8bf940

SHA512
90ebdf70e26176ca39d8496624b9ac2bbae46127fc2fb9a7c63a5acbbea108c968b2d465c494541a5f89d551cac9a462eacaf96d8fdb816d14eb2d0a7c017f70

Download Submit
memory/1216-114-0x0000000000000000-mapping.dmp

Download
memory/2180-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing