02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744

General

Target

02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe
Size

96KB
MD5

b85e836c181e4b209d56c0d2df72d53e
SHA1

e3bf80c50892d44db8391f00b3329863a9d19993
SHA256

02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744
SHA512

0b767f55b1033e1340c0a98c0a880bdac102f6de79520cc868c357c1d0e54de70f76798398d16167dfed8594a83ff012050cfc57aa9c63f1343f9d12160220bb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
640	w3wpdiag.exe
1008	w3wpdiag.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	w3wpdiag.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\w3wpdiag.exe	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe
File created	C:\Windows\system32\System.Web.Helpers.dll	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe
File opened for modification	C:\Windows\system32\System.Web.Helpers.dll	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	w3wpdiag.exe
File opened for modification	C:\Windows\system32\w3wpdiag.InstallLog	w3wpdiag.exe
File created	C:\Windows\system32\w3wpdiag.InstallState	w3wpdiag.exe
File created	C:\Windows\system32\w3wpdiag.exe	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 772	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	29
PID 1668 wrote to memory of 772	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	29
PID 1668 wrote to memory of 772	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	29
PID 772 wrote to memory of 640	772	cmd.exe	31
PID 772 wrote to memory of 640	772	cmd.exe	31
PID 772 wrote to memory of 640	772	cmd.exe	31
PID 1668 wrote to memory of 1548	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	33
PID 1668 wrote to memory of 1548	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	33
PID 1668 wrote to memory of 1548	1668	02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe	33

C:\Users\Admin\AppData\Local\Temp\02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe
"C:\Users\Admin\AppData\Local\Temp\02151539f5f9f89a9021ea2914bb520772ae1c8deb938b0646c4a319367e4744.exe"
1⤵
- Windows security modification
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c w3wpdiag.exe -install
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\w3wpdiag.exe
    w3wpdiag.exe -install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:640
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c del *.InstallLog *.InstallState
  2⤵
  PID:1548

C:\Windows\system32\w3wpdiag.exe
"C:\Windows\system32\w3wpdiag.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\w3wpdiag.exe

Filesize
58KB

MD5
371b4380080e3d94ffcae1a7e9a0d5e2

SHA1
f7088075d1c798f27b0d269c97dc877ff16f1401

SHA256
2986bae15cfa78b919d21dc070be944e949a027e8047a812026e35c66ab17353

SHA512
990c3b43a9cdaa45432d2934aac005042f72ee4d1f441c474c07fa28e950c926e2474263bbc4bbd35aa74e4f6819f7194066f1f94dd300f2b04eee82bb7f5fb7

Download Submit
C:\Windows\System32\w3wpdiag.exe

Filesize
58KB

MD5
371b4380080e3d94ffcae1a7e9a0d5e2

SHA1
f7088075d1c798f27b0d269c97dc877ff16f1401

SHA256
2986bae15cfa78b919d21dc070be944e949a027e8047a812026e35c66ab17353

SHA512
990c3b43a9cdaa45432d2934aac005042f72ee4d1f441c474c07fa28e950c926e2474263bbc4bbd35aa74e4f6819f7194066f1f94dd300f2b04eee82bb7f5fb7

Download Submit
C:\Windows\system32\InstallUtil.InstallLog

Filesize
580B

MD5
3fe3db751374c86fcc44d7e14b9c11f9

SHA1
4ec4a7d01540a403a52f1bb48d9fc85f9066617e

SHA256
4ffb0294f29222071c7b0f3c321d625f211024370d3b11ac71e80ad9936032a5

SHA512
e5761e7f51291215aee6cb4bef734b2bdcc98e74d50761350ad033b4109a75b1dfc4ec9e76ff0d10adeeee349a54a266485f7c38e3e2f89b3fc8c31e8bf9f1e3

Download Submit
C:\Windows\system32\System.Web.Helpers.dll

Filesize
135KB

MD5
4f13bec852002ea7208deaf82b53f90d

SHA1
fffd7f988637d3f79bad6e6fb725f00aa8558044

SHA256
6bdd4e1a2887176b20bdc2d710c5d81b68b18e7006a8281f4973e9e31e25f40f

SHA512
2216dc754a787bc159e9bc363f8a57ee02caadce16dae41e73ce27cc37d7eef956983bf0dca7c78ef988030d69c4977a067b32667111ca10926a7d684771bf40

Download Submit
C:\Windows\system32\w3wpdiag.InstallLog

Filesize
561B

MD5
99b0f0d65146dadcd19adad9541f3d42

SHA1
1e5eb63e99ee18b4f91c66b350c2628f64e7870d

SHA256
6dcc3fe3efb8f9aab0615b676d986cb75e765fc95cd04539964206050b80b7b1

SHA512
3ca51387278296c7a541ee1ba9cccce00b7b667b75bd6a131defc60edfaf2b1c06096806881a3b9e9a9e4eba99e8e5b5f537e642463cd403e47190c894355488

Download Submit
C:\Windows\system32\w3wpdiag.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Windows\system32\w3wpdiag.exe

Filesize
58KB

MD5
371b4380080e3d94ffcae1a7e9a0d5e2

SHA1
f7088075d1c798f27b0d269c97dc877ff16f1401

SHA256
2986bae15cfa78b919d21dc070be944e949a027e8047a812026e35c66ab17353

SHA512
990c3b43a9cdaa45432d2934aac005042f72ee4d1f441c474c07fa28e950c926e2474263bbc4bbd35aa74e4f6819f7194066f1f94dd300f2b04eee82bb7f5fb7

Download Submit
memory/640-61-0x0000000000A60000-0x0000000000A74000-memory.dmp

Filesize
80KB

Download
memory/640-65-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/1008-64-0x0000000000B90000-0x0000000000BB6000-memory.dmp

Filesize
152KB

Download
memory/1008-66-0x0000000019B00000-0x0000000019B02000-memory.dmp

Filesize
8KB

Download
memory/1668-54-0x0000000001260000-0x000000000127E000-memory.dmp

Filesize
120KB

Download
memory/1668-56-0x0000000000190000-0x00000000001B6000-memory.dmp

Filesize
152KB

Download
memory/1668-55-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing