3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

General

Target

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
Size

208KB
MD5

a633ccbf2a9d299a06512319a0286777
SHA1

839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da
SHA256

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2
SHA512

78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Check Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{8f357dae-9843-072e-475f-c01d422dead6}\\a39ZlMD1.exe"	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 1196 set thread context of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	82
PID 5016 set thread context of 4660	5016	msiexec.exe	83

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
5016	msiexec.exe
5016	msiexec.exe
5016	msiexec.exe
5016	msiexec.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	79
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	82
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	82
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	82
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	82
PID 5016 wrote to memory of 4660	5016	msiexec.exe	83
PID 5016 wrote to memory of 4660	5016	msiexec.exe	83
PID 5016 wrote to memory of 4660	5016	msiexec.exe	83
PID 5016 wrote to memory of 4660	5016	msiexec.exe	83

C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
"C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
  "C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{8f357dae-9843-072e-475f-c01d422dead6}\a39ZlMD1.exe

Filesize
208KB

MD5
a633ccbf2a9d299a06512319a0286777

SHA1
839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da

SHA256
3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

SHA512
78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Download Submit
memory/1196-136-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1196-132-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1196-134-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/2036-133-0x00000000004EC000-0x00000000004F2000-memory.dmp

Filesize
24KB

Download
memory/2036-130-0x00000000004EC000-0x00000000004F2000-memory.dmp

Filesize
24KB

Download
memory/4660-141-0x0000000001900000-0x0000000001907000-memory.dmp

Filesize
28KB

Download
memory/4660-140-0x00000000013D0000-0x00000000013D3000-memory.dmp

Filesize
12KB

Download
memory/4660-143-0x00000000013D0000-0x00000000013D3000-memory.dmp

Filesize
12KB

Download
memory/5016-137-0x0000000000FE0000-0x0000000000FE3000-memory.dmp

Filesize
12KB

Download
memory/5016-138-0x00000000013B0000-0x00000000013B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing