cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42

General

Target

467e17b8d44626b7456716680e3d043d.exe
Size

349KB
MD5

467e17b8d44626b7456716680e3d043d
SHA1

6636511ae14abb0f2554199b4ed8977def1d9b8a
SHA256

cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
SHA512

5f3a0f47bfe3f1784849c9ddedc30e489b5d37cbb0a73c488ab58efc7a777d0d5e0c5a5abef63661166003b623224d6990b8baa160d6e398dc804b4c2fb941a7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader = "C:\\Users\\Admin\\AppData\\Local\\Adobe Reader.exe"	reg.exe

Modifies registry class 1 IoCs

Processes:

calc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings calc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

520 OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	calc.exe

pid	process
520	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

467e17b8d44626b7456716680e3d043d.execmd.exe

description	pid	process	target process
PID 808 wrote to memory of 3304	808	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 808 wrote to memory of 3304	808	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 808 wrote to memory of 3304	808	467e17b8d44626b7456716680e3d043d.exe	cmd.exe
PID 3304 wrote to memory of 3036	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3036	3304	cmd.exe	reg.exe
PID 3304 wrote to memory of 3036	3304	cmd.exe	reg.exe
PID 808 wrote to memory of 2432	808	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 808 wrote to memory of 2432	808	467e17b8d44626b7456716680e3d043d.exe	calc.exe
PID 808 wrote to memory of 2432	808	467e17b8d44626b7456716680e3d043d.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe
"C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\467e17b8d44626b7456716680e3d043d.exe" "C:\Users\%username%\AppData\Local\Adobe Reader.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Reader.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Reader" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Adobe Reader.exe"
3⤵
- Adds Run key to start application
PID:3036

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
- Modifies registry class
PID:2432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-116-0x0000000000000000-mapping.dmp

Download
memory/3036-115-0x0000000000000000-mapping.dmp

Download
memory/3304-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing