6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8

General

Target

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
Size

1.6MB
MD5

d644eb3560601aa504917b281306a350
SHA1

b43554ea4fa8eed7a9d36e4172546487b627a45d
SHA256

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8
SHA512

c9a2100bd23d583d63c5fd37251b81407036f422d5cdcf2386419d78eaf25fbf2fa7bc6d34ef33f2b427ead5004ce92da9184a70d5c202d2dcb12571b403fc46

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemApps = "C:\\Users\\Admin\\SystemApps\\AppSrv.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1108 reg.exe

pid	process
1108	reg.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.execmd.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 932	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 932	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 932	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 932	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 856	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 856	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 856	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 856	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1548	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1548	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1548	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1548	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1548 wrote to memory of 604	1548	cmd.exe	attrib.exe
PID 1548 wrote to memory of 604	1548	cmd.exe	attrib.exe
PID 1548 wrote to memory of 604	1548	cmd.exe	attrib.exe
PID 1548 wrote to memory of 604	1548	cmd.exe	attrib.exe
PID 1724 wrote to memory of 1152	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1152	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1152	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1724 wrote to memory of 1152	1724	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1152 wrote to memory of 1108	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1108	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1108	1152	cmd.exe	reg.exe
PID 1152 wrote to memory of 1108	1152	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

604 attrib.exe

pid	process
604	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
"C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /C "mkdir %userprofile%\SystemApps"
2⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /C "copy C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe %userprofile%\SystemApps\AppSrv.exe"
2⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /C "attrib +H %userprofile%\SystemApps"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\attrib.exe
attrib +H C:\Users\Admin\SystemApps
3⤵
- Views/modifies file attributes
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /C "REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D %userprofile%\SystemApps\AppSrv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D C:\Users\Admin\SystemApps\AppSrv.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1108