45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f

General

Target

46ee250665a9309d49ff4efa9b6de0c5.exe
Size

129KB
MD5

46ee250665a9309d49ff4efa9b6de0c5
SHA1

50d0c50fbe6e602546eca3ca6190196ea68e9a81
SHA256

45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f
SHA512

87afabbd3816148385dd5e31d45bc976414027f7850a0836426ae5ad6bf9417376cfd4fb5142972565fa462ba264e0de9791e9f870dff1e1bb922137e875d30f
SSDEEP

3072:OHuz0Qb6GVlzsmn0+ZIOviaV0k4XoVlJ8n:OE0Q28omnlZsWJO

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1234.exe

pid process

324 1234.exe

pid	process
324	1234.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1234.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\1234.exe"	1234.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

46ee250665a9309d49ff4efa9b6de0c5.exe1234.exesvchost.exe

pid	process
1812	46ee250665a9309d49ff4efa9b6de0c5.exe
1812	46ee250665a9309d49ff4efa9b6de0c5.exe
324	1234.exe
324	1234.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe
1912	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

46ee250665a9309d49ff4efa9b6de0c5.exe

description	pid	process
Token: SeDebugPrivilege	1812	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeImpersonatePrivilege	1812	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeDebugPrivilege	1812	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeImpersonatePrivilege	1812	46ee250665a9309d49ff4efa9b6de0c5.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1234.exe

description	pid	process	target process
PID 324 wrote to memory of 1912	324	1234.exe	svchost.exe
PID 324 wrote to memory of 1912	324	1234.exe	svchost.exe
PID 324 wrote to memory of 1912	324	1234.exe	svchost.exe
PID 324 wrote to memory of 1912	324	1234.exe	svchost.exe
PID 324 wrote to memory of 1912	324	1234.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe
"C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\1234.exe
C:\1234.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:324

\??\c:\windows\SysWOW64\svchost.exe
c:\windows\SysWOW64\svchost.exe
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1234.exe
Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\1234.exe
Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\libcef.dll
Filesize
90KB

MD5
12b71771467bb1d2d2f5f1a793836f7a

SHA1
8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

SHA256
ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

SHA512
59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

Download Submit
memory/324-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1912-59-0x0000000000000000-mapping.dmp

Download
memory/1912-61-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/1912-64-0x00000000001F0000-0x000000000023E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads