f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70

General

Target

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
Size

88KB
MD5

0e89298ac6003bda06ca607c17602f62
SHA1

fdafc549ef30db9c1d65dcbaaec43af6d7bf5ed4
SHA256

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70
SHA512

440a587580b621a1dfbf03fa41ab18ee220c55395ab71836d86cfa6b3f489ac3fbf3b121efe2c62f07ca710b503e7d15ddea32e2cccd2dc13d16ea5c8a304d0e

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Program Files directory 1 IoCs

Processes:

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

description	ioc	process
File created	C:\Program Files (x86)\SolidTechnology\config.cfg	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

pid process

1708 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

pid	process
1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exeexplorer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe
Token: SeShutdownPrivilege	1132	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

explorer.exe

pid	process
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

explorer.exe

pid	process
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exerunas.exeexplorer.exe

description	pid	process	target process
PID 1708 wrote to memory of 1432	1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe	runas.exe
PID 1708 wrote to memory of 1432	1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe	runas.exe
PID 1708 wrote to memory of 1432	1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe	runas.exe
PID 1708 wrote to memory of 1432	1708	f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe	runas.exe
PID 1432 wrote to memory of 1132	1432	runas.exe	explorer.exe
PID 1432 wrote to memory of 1132	1432	runas.exe	explorer.exe
PID 1432 wrote to memory of 1132	1432	runas.exe	explorer.exe
PID 1432 wrote to memory of 1132	1432	runas.exe	explorer.exe
PID 1132 wrote to memory of 988	1132	explorer.exe	ctfmon.exe
PID 1132 wrote to memory of 988	1132	explorer.exe	ctfmon.exe
PID 1132 wrote to memory of 988	1132	explorer.exe	ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe
"C:\Users\Admin\AppData\Local\Temp\f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\runas.exe
  runas /trustlevel:0x20000 C:\Windows\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-59-0x0000000000000000-mapping.dmp

Download
memory/1132-57-0x0000000000000000-mapping.dmp

Download
memory/1132-58-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1132-62-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/1432-55-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1708-60-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-61-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads