60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1

General

Target

0b4ab2b8547d9d49b35788f9da74b439.exe
Size

4.9MB
MD5

0b4ab2b8547d9d49b35788f9da74b439
SHA1

7452326f93c8dc33695dee74e092aabcac462f3b
SHA256

60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1
SHA512

89d6ca06231f9b9534d6938e1f698c06ee3ab594351940e2e5ec6b1a8079426bbccf20474a9808848885705627a80cf0511df76e4c5c0b8f56f2a09df3e9bb46

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0b4ab2b8547d9d49b35788f9da74b439.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallAgent = "\"C:\\Users\\Admin\\AppData\\Roaming\\InstallAgent\\InstallAgent.exe\""	0b4ab2b8547d9d49b35788f9da74b439.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b4ab2b8547d9d49b35788f9da74b439.exe

description	pid	Process	procid_target
PID 3992 set thread context of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

0b4ab2b8547d9d49b35788f9da74b439.exe

pid	Process
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe
3992	0b4ab2b8547d9d49b35788f9da74b439.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0b4ab2b8547d9d49b35788f9da74b439.exe

description	pid	Process
Token: SeDebugPrivilege	3992	0b4ab2b8547d9d49b35788f9da74b439.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0b4ab2b8547d9d49b35788f9da74b439.exe

description	pid	Process	procid_target
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79
PID 3992 wrote to memory of 3016	3992	0b4ab2b8547d9d49b35788f9da74b439.exe	79

C:\Users\Admin\AppData\Local\Temp\0b4ab2b8547d9d49b35788f9da74b439.exe
"C:\Users\Admin\AppData\Local\Temp\0b4ab2b8547d9d49b35788f9da74b439.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\0b4ab2b8547d9d49b35788f9da74b439.exe
  C:\Users\Admin\AppData\Local\Temp\0b4ab2b8547d9d49b35788f9da74b439.exe
  2⤵
  PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0b4ab2b8547d9d49b35788f9da74b439.exe.log

MD5
b06e5d6c8214be4608b8c198376f0eee

SHA1
6e0c6c98db308abd93600784b99a9fecbcdf3925

SHA256
d771781af6b667b92e20d3e59fd0a470faeb137cb1bfb463b53c8c7c35514adb

SHA512
65992a063a9b22582251c346fc458ff3da87a8f1165285ba1e2f5abbb2c646a9f8c4a67307d0000254654406dbb48aec13bfc68d6bfddab5028822fd2a0842c3

Download Submit
memory/3016-126-0x0000000140000000-mapping.dmp

Download
memory/3016-125-0x0000000140000000-0x00000001407EA000-memory.dmp

Filesize
7.9MB

Download
memory/3992-114-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3992-116-0x0000000001720000-0x0000000001722000-memory.dmp

Filesize
8KB

Download
memory/3992-121-0x000000001C5D0000-0x000000001C5D2000-memory.dmp

Filesize
8KB

Download
memory/3992-122-0x00000000034D0000-0x00000000034E7000-memory.dmp

Filesize
92KB

Download
memory/3992-123-0x000000001C5D2000-0x000000001C5D4000-memory.dmp

Filesize
8KB

Download
memory/3992-124-0x000000001C5D4000-0x000000001C5D6000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads