1aff8c8fc2bc03ccd0023e9e6b63075f9bd7cd856b13f6f3d8ed6ef9a0c88acb

General

Target

aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
Size

161KB
MD5

7192c0bd9f8bc32f896405258120c991
SHA1

a85b84c35c3178c50dd22e77a0f3872158b16208
SHA256

aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f
SHA512

2382ce453b1299c5e6765faf9e800baceec93b23ce05443dc726f15f515003bc17d41e4ed4c236566ab802a2647e4021ebd5c612d4c51a1d02dcbedf553e3c36

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\53504 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccyibbapa.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Blocklisted process makes network request 37 IoCs

Processes:

msiexec.exe

flow	pid	process
12	936	msiexec.exe
13	936	msiexec.exe
14	936	msiexec.exe
15	936	msiexec.exe
16	936	msiexec.exe
18	936	msiexec.exe
19	936	msiexec.exe
20	936	msiexec.exe
21	936	msiexec.exe
24	936	msiexec.exe
25	936	msiexec.exe
26	936	msiexec.exe
27	936	msiexec.exe
28	936	msiexec.exe
29	936	msiexec.exe
30	936	msiexec.exe
31	936	msiexec.exe
32	936	msiexec.exe
33	936	msiexec.exe
34	936	msiexec.exe
35	936	msiexec.exe
36	936	msiexec.exe
37	936	msiexec.exe
38	936	msiexec.exe
40	936	msiexec.exe
41	936	msiexec.exe
42	936	msiexec.exe
43	936	msiexec.exe
44	936	msiexec.exe
45	936	msiexec.exe
46	936	msiexec.exe
47	936	msiexec.exe
48	936	msiexec.exe
49	936	msiexec.exe
50	936	msiexec.exe
51	936	msiexec.exe
52	936	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe

description	pid	process	target process
PID 632 set thread context of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\ccyibbapa.exe msiexec.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccyibbapa.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe

pid	process
196	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
196	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exeaaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe

description	pid	process	target process
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 632 wrote to memory of 196	632	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
PID 196 wrote to memory of 936	196	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	msiexec.exe
PID 196 wrote to memory of 936	196	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	msiexec.exe
PID 196 wrote to memory of 936	196	aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
"C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe
"C:\Users\Admin\AppData\Local\Temp\aaeb41df199f1f1ff43ea44a9e70977fd66b050903fd9ed63c08fd74f331530f.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\syswow64\msiexec.exe
C:\Windows\syswow64\msiexec.exe
3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-114-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/196-115-0x0000000000407930-mapping.dmp

Download
memory/196-119-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/936-116-0x0000000000000000-mapping.dmp

Download
memory/936-121-0x0000000000700000-0x0000000000705000-memory.dmp

Filesize
20KB

Download
memory/936-120-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads