45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f

General

Target

46ee250665a9309d49ff4efa9b6de0c5.exe
Size

129KB
MD5

46ee250665a9309d49ff4efa9b6de0c5
SHA1

50d0c50fbe6e602546eca3ca6190196ea68e9a81
SHA256

45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f
SHA512

87afabbd3816148385dd5e31d45bc976414027f7850a0836426ae5ad6bf9417376cfd4fb5142972565fa462ba264e0de9791e9f870dff1e1bb922137e875d30f
SSDEEP

3072:OHuz0Qb6GVlzsmn0+ZIOviaV0k4XoVlJ8n:OE0Q28omnlZsWJO

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2460 created 1016 2460 svchost.exe dwm.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1234.exe

pid process

2396 1234.exe
Loads dropped DLL 1 IoCs

Processes:

1234.exe

pid process

2396 1234.exe

description	pid	process	target process
PID 2460 created 1016	2460	svchost.exe	dwm.exe

pid	process
2396	1234.exe

pid	process
2396	1234.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1234.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "C:\\Users\\Public\\1234.exe"	1234.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

46ee250665a9309d49ff4efa9b6de0c5.exe1234.exesvchost.exe

pid	process
4856	46ee250665a9309d49ff4efa9b6de0c5.exe
4856	46ee250665a9309d49ff4efa9b6de0c5.exe
4856	46ee250665a9309d49ff4efa9b6de0c5.exe
4856	46ee250665a9309d49ff4efa9b6de0c5.exe
2396	1234.exe
2396	1234.exe
2396	1234.exe
2396	1234.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe
2708	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

46ee250665a9309d49ff4efa9b6de0c5.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4856	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeImpersonatePrivilege	4856	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeTcbPrivilege	2460	svchost.exe
Token: SeTcbPrivilege	2460	svchost.exe
Token: SeDebugPrivilege	4856	46ee250665a9309d49ff4efa9b6de0c5.exe
Token: SeImpersonatePrivilege	4856	46ee250665a9309d49ff4efa9b6de0c5.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

svchost.exe1234.exe

description	pid	process	target process
PID 2460 wrote to memory of 2396	2460	svchost.exe	1234.exe
PID 2460 wrote to memory of 2396	2460	svchost.exe	1234.exe
PID 2460 wrote to memory of 2396	2460	svchost.exe	1234.exe
PID 2396 wrote to memory of 2708	2396	1234.exe	svchost.exe
PID 2396 wrote to memory of 2708	2396	1234.exe	svchost.exe
PID 2396 wrote to memory of 2708	2396	1234.exe	svchost.exe
PID 2396 wrote to memory of 2708	2396	1234.exe	svchost.exe

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\1234.exe
C:\1234.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396

\??\c:\windows\SysWOW64\svchost.exe
c:\windows\SysWOW64\svchost.exe
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe
"C:\Users\Admin\AppData\Local\Temp\46ee250665a9309d49ff4efa9b6de0c5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1234.exe
Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\1234.exe
Filesize
1.6MB

MD5
5d8ab1d3b48afab34fab8930c3e56793

SHA1
64c4e251af2970abc2e24bc3c3de0448103afd6d

SHA256
86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

SHA512
f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

Download Submit
C:\libcef.dll
Filesize
90KB

MD5
12b71771467bb1d2d2f5f1a793836f7a

SHA1
8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

SHA256
ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

SHA512
59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

Download Submit
C:\libcef.dll
Filesize
90KB

MD5
12b71771467bb1d2d2f5f1a793836f7a

SHA1
8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

SHA256
ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

SHA512
59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

Download Submit
memory/2396-132-0x0000000000000000-mapping.dmp

Download
memory/2708-137-0x0000000000000000-mapping.dmp

Download
memory/2708-138-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2708-141-0x0000000001880000-0x00000000018CE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads