ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0

General

Target

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Size

25KB
MD5

b6974c625e2a8c07e6202090a0062497
SHA1

778ce55ed26bd5f9d20d0c29b5d2dc196466de49
SHA256

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0
SHA512

56d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Server.exeServer.exe

pid process

4292 Server.exe
3188 Server.exe

pid	process
4292	Server.exe
3188	Server.exe

Drops startup file 2 IoCs

Processes:

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe\" .."	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe\" .."	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{61441739-2C61-4F47-9BA2-A1C0100075C1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{107B7D9B-B7E0-4337-9A26-242310909DF9}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4612 schtasks.exe

pid	process
4612	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

pid process

432 ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

pid	process
432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

description	pid	process
Token: SeDebugPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: 33	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
Token: SeIncBasePriorityPrivilege	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe

description	pid	process	target process
PID 432 wrote to memory of 4612	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe	schtasks.exe
PID 432 wrote to memory of 4612	432	ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe
"C:\Users\Admin\AppData\Local\Temp\ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Creates scheduled task(s)
PID:4612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3272

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:3188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log
Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b6974c625e2a8c07e6202090a0062497

SHA1
778ce55ed26bd5f9d20d0c29b5d2dc196466de49

SHA256
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0

SHA512
56d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b6974c625e2a8c07e6202090a0062497

SHA1
778ce55ed26bd5f9d20d0c29b5d2dc196466de49

SHA256
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0

SHA512
56d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
25KB

MD5
b6974c625e2a8c07e6202090a0062497

SHA1
778ce55ed26bd5f9d20d0c29b5d2dc196466de49

SHA256
ac9621b85e5f6b6c1335ea0f71ad93b1cd78bb94f62c36d9c86fc4832fc7aaf0

SHA512
56d8549176aa1d3efd8f3c0a3927b2c76e5075eb036988b2bb58cc43357eca442439b5fa3bcd07de23c348e2d55412b11bcee2ebf7a67fd0ab698e5d75ebb95b

Download Submit
memory/432-130-0x0000000000050000-0x0000000000058000-memory.dmp

Filesize
32KB

Download
memory/432-131-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmp

Filesize
10.8MB

Download
memory/3188-138-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmp

Filesize
10.8MB

Download
memory/4292-135-0x00007FFEA4C50000-0x00007FFEA5711000-memory.dmp

Filesize
10.8MB

Download
memory/4612-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads