3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

General

Target

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
Size

208KB
MD5

a633ccbf2a9d299a06512319a0286777
SHA1

839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da
SHA256

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2
SHA512

78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Check Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{cad1e7be-c527-2de4-7f70-eaea8a6eed3c}\\s6Tq0uXP.exe"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Deletes itself 1 IoCs

pid	Process
1052	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1724 set thread context of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1052 set thread context of 1744	1052	msiexec.exe	29

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1052	msiexec.exe
1052	msiexec.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1100 wrote to memory of 1724	1100	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	27
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1724 wrote to memory of 1052	1724	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	28
PID 1052 wrote to memory of 1744	1052	msiexec.exe	29
PID 1052 wrote to memory of 1744	1052	msiexec.exe	29
PID 1052 wrote to memory of 1744	1052	msiexec.exe	29
PID 1052 wrote to memory of 1744	1052	msiexec.exe	29
PID 1052 wrote to memory of 1744	1052	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
"C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
  "C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Deletes itself
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{cad1e7be-c527-2de4-7f70-eaea8a6eed3c}\s6Tq0uXP.exe

Filesize
208KB

MD5
a633ccbf2a9d299a06512319a0286777

SHA1
839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da

SHA256
3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

SHA512
78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Download Submit
memory/1052-61-0x00000000000E0000-0x00000000000E3000-memory.dmp

Filesize
12KB

Download
memory/1052-62-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/1100-56-0x00000000005EC000-0x00000000005F2000-memory.dmp

Filesize
24KB

Download
memory/1724-54-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1724-57-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1724-58-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/1744-65-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1744-66-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing