3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

General

Target

$77_loader.exe
Size

397KB
MD5

aff57ee1a4f3731c2036046910f78fb4
SHA1

ef9627c0cadff85a3dfaab6aef0b7c885f03b186
SHA256

3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA512

5ae93c6dae61782a7ac2fa2079df7006e0655d73e32fd7df1a5c1d44e47fd7dd2da225ea6f93e9d3dcb09be5f84b5dab2130bb4f2d5b0e05d95e866ebde0163f

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3256	$77_loader.exe
3256	$77_loader.exe
3256	$77_loader.exe
3256	$77_loader.exe
3256	$77_loader.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	$77_loader.exe
Token: SeSecurityPrivilege	4244	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 3860	3256	$77_loader.exe	80
PID 3256 wrote to memory of 3860	3256	$77_loader.exe	80
PID 3860 wrote to memory of 4508	3860	csc.exe	82
PID 3860 wrote to memory of 4508	3860	csc.exe	82
PID 3256 wrote to memory of 4224	3256	$77_loader.exe	84
PID 3256 wrote to memory of 4224	3256	$77_loader.exe	84

C:\Users\Admin\AppData\Local\Temp\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\$77_loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m7y84mz0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25B9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC25B8.tmp"
    3⤵
    PID:4508
- C:\Windows\system32\chcp.com
  "C:\Windows\system32\chcp.com" 437
  2⤵
  PID:4224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES25B9.tmp

Filesize
1KB

MD5
1d84e61e618d0720a80d338557513c53

SHA1
f6bbbb494b99e1d93f3495da4cfabc8cbd847888

SHA256
96ae793cd92dc0f36c20ca1f8dad26e02d1ab09aa6b2fc3e754ec3071295c404

SHA512
e17279106fb8d8905eafeb0085ba2df9801efecc861b8f79081c7d218311ff31de0396e3218c5e24779c623bd1e054d547468f0eb9396eff167a583b60e55f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m7y84mz0.dll

Filesize
3KB

MD5
9a200076da05da0980a6ff548c04e5b7

SHA1
7fdd72d2a3655d5c68eccd3c74ad8838b510e7f6

SHA256
b418234f70af5312342b80e784365a6c1f7de433120f0dbe44d980af1b5fd251

SHA512
3346b123273df284bdec9b09adb31a6a0747d51b081f6f38d31d06ad89c3444bb89efc584a0fc7c4ad2c5d60d5fc510f449542c0d7e6cb06ee64d1383d247de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m7y84mz0.pdb

Filesize
11KB

MD5
84df271d1bb3142a64a918187b90ad1a

SHA1
088be60d0658cb78b40e76c77268dc66e55766b5

SHA256
e1996cfd4ed4335a146b4457e465dc7d4ade83b5e3654295238343de0d0cba39

SHA512
5b3a5726ad2159de565326f2aecbec9a55a752f301b3099190fd1173319d4bf008b6773bbd899939d8587707e0d5d18bb46f807a28feb631a6503cde13b58b7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC25B8.tmp

Filesize
652B

MD5
a1a22a24e71d4fe2e7f1b4e9c8ca3bcf

SHA1
5cb169991ef7bab18b203ca86f2e52518d086ba3

SHA256
fde0b33423523618b34355605cc2edb6bd65578edf38beb8fbb77fe19c46150a

SHA512
15a78493f8b222d687c747140e4c6902846a6b0ac78967675b84e9875781f91ffab5f27ff3d83396149d6cce7215c8d40face7bca931e9f4a934c120cad65efe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m7y84mz0.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m7y84mz0.cmdline

Filesize
309B

MD5
46f0665d184228734149efd76ffe6438

SHA1
8d60359a7d1ab48af85d92161e792cd2a25cb85a

SHA256
0723a0673523e60fee195d31247339cae7acef45303f0e45020d16f8b73d1164

SHA512
b8950312ff347dd0d1bc48cbe2e63677d322602b685329e06a82672ad5129a0d2922b7fd78fdbe20a00c63b2b49ad07af73f823921ee3e590e53b45610ab8c2e

Download Submit
memory/3256-130-0x00007FFF97D10000-0x00007FFF9886D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing