55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431

General

Target

55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
Size

80KB
MD5

cc43c6cdc0b3d5a09e63a438d5db6d57
SHA1

efbfdc41e819422240cc2da85c9a0e358133bbc2
SHA256

55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431
SHA512

15f929a56cc005fca42d4cfb497dc6edc001355e2bd4f496fe279a0f988fdfeea56d4762043f38924763475fd42f239b74b9ea6e61a8e420b87b4725735412d7

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SolidTechnology\config.cfg	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: 33	580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	580	AUDIODG.EXE
Token: 33	580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	580	AUDIODG.EXE
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe
Token: SeShutdownPrivilege	996	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe
996	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 924	2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe	27
PID 2016 wrote to memory of 924	2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe	27
PID 2016 wrote to memory of 924	2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe	27
PID 2016 wrote to memory of 924	2016	55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe	27
PID 924 wrote to memory of 996	924	runas.exe	28
PID 924 wrote to memory of 996	924	runas.exe	28
PID 924 wrote to memory of 996	924	runas.exe	28
PID 924 wrote to memory of 996	924	runas.exe	28
PID 996 wrote to memory of 1480	996	explorer.exe	29
PID 996 wrote to memory of 1480	996	explorer.exe	29
PID 996 wrote to memory of 1480	996	explorer.exe	29

C:\Users\Admin\AppData\Local\Temp\55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe
"C:\Users\Admin\AppData\Local\Temp\55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\runas.exe
  runas /trustlevel:0x20000 C:\Windows\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1480

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-59-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/996-62-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/2016-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-61-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing