3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

General

Target

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
Size

208KB
MD5

a633ccbf2a9d299a06512319a0286777
SHA1

839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da
SHA256

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2
SHA512

78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Check Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{8f357dae-9843-072e-475f-c01d422dead6}\\a39ZlMD1.exe"	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exemsiexec.exe

description	pid	process	target process
PID 2036 set thread context of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 1196 set thread context of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	msiexec.exe
PID 5016 set thread context of 4660	5016	msiexec.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exemsiexec.exesvchost.exe

pid	process
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
5016	msiexec.exe
5016	msiexec.exe
5016	msiexec.exe
5016	msiexec.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe
4660	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exemsiexec.exe

description	pid	process	target process
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 2036 wrote to memory of 1196	2036	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	msiexec.exe
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	msiexec.exe
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	msiexec.exe
PID 1196 wrote to memory of 5016	1196	3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe	msiexec.exe
PID 5016 wrote to memory of 4660	5016	msiexec.exe	svchost.exe
PID 5016 wrote to memory of 4660	5016	msiexec.exe	svchost.exe
PID 5016 wrote to memory of 4660	5016	msiexec.exe	svchost.exe
PID 5016 wrote to memory of 4660	5016	msiexec.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
"C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe
"C:\Users\Admin\AppData\Local\Temp\3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{8f357dae-9843-072e-475f-c01d422dead6}\a39ZlMD1.exe
Filesize
208KB

MD5
a633ccbf2a9d299a06512319a0286777

SHA1
839a0ef54024dcfcbfbcecb0adf3bf0de1aa98da

SHA256
3d750de58563f860cd8f8674ce08e96b1f4e3ae3564c10efe61c50738056b0f2

SHA512
78584f6702f4a4d880430a35178fa769d90489c42ae62edebe6a4169514a53a210c744763affd5c12eda9dc1d996ee40d3f7788a7d66e29553a2b2c26a1bc0a8

Download Submit
memory/1196-136-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1196-131-0x0000000000000000-mapping.dmp

Download
memory/1196-132-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/1196-134-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/2036-133-0x00000000004EC000-0x00000000004F2000-memory.dmp

Filesize
24KB

Download
memory/2036-130-0x00000000004EC000-0x00000000004F2000-memory.dmp

Filesize
24KB

Download
memory/4660-139-0x0000000000000000-mapping.dmp

Download
memory/4660-141-0x0000000001900000-0x0000000001907000-memory.dmp

Filesize
28KB

Download
memory/4660-140-0x00000000013D0000-0x00000000013D3000-memory.dmp

Filesize
12KB

Download
memory/4660-143-0x00000000013D0000-0x00000000013D3000-memory.dmp

Filesize
12KB

Download
memory/5016-135-0x0000000000000000-mapping.dmp

Download
memory/5016-137-0x0000000000FE0000-0x0000000000FE3000-memory.dmp

Filesize
12KB

Download
memory/5016-138-0x00000000013B0000-0x00000000013B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads