6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8

General

Target

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
Size

1.6MB
MD5

d644eb3560601aa504917b281306a350
SHA1

b43554ea4fa8eed7a9d36e4172546487b627a45d
SHA256

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8
SHA512

c9a2100bd23d583d63c5fd37251b81407036f422d5cdcf2386419d78eaf25fbf2fa7bc6d34ef33f2b427ead5004ce92da9184a70d5c202d2dcb12571b403fc46

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemApps = "C:\\Users\\Admin\\SystemApps\\AppSrv.exe"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4296 reg.exe

pid	process
4296	reg.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.execmd.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 3532	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 3532	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 3532	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 5032	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 5032	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 5032	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 1364	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 1364	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 1364	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	attrib.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	attrib.exe
PID 1364 wrote to memory of 4776	1364	cmd.exe	attrib.exe
PID 4572 wrote to memory of 4496	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 4496	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4572 wrote to memory of 4496	4572	6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe	cmd.exe
PID 4496 wrote to memory of 4296	4496	cmd.exe	reg.exe
PID 4496 wrote to memory of 4296	4496	cmd.exe	reg.exe
PID 4496 wrote to memory of 4296	4496	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4776 attrib.exe

pid	process
4776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
"C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd /C "mkdir %userprofile%\SystemApps"
2⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
cmd /C "copy C:\Users\Admin\AppData\Local\Temp\6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe %userprofile%\SystemApps\AppSrv.exe"
2⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
cmd /C "attrib +H %userprofile%\SystemApps"
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\attrib.exe
attrib +H C:\Users\Admin\SystemApps
3⤵
- Views/modifies file attributes
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd /C "REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D %userprofile%\SystemApps\AppSrv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V SystemApps /t REG_SZ /F /D C:\Users\Admin\SystemApps\AppSrv.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4296