c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

General

Target

c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
Size

60KB
MD5

12c8af8a84cef2695932f7d2b6db3270
SHA1

93559dc68581bde6c143eeef1d54f2c31581df22
SHA256

c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840
SHA512

c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e
SSDEEP

768:7vWC/cSHQh/nJwKKQ2M29HSLmqTCxtt5HKL0qWm7wO+8i:R/cSHQJh2D9HSLmq2xP0wO+8i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	SmikehRIKE.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe:*:Enabled:SmikehRIKE"	SmikehRIKE.exe

Executes dropped EXE 2 IoCs

pid	Process
1992	SmikehRIKE.exe
1976	SmikehRIKE.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L80F71BI-65XX-GMUE-SEU6-F640ECRGNROW}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe"	SmikehRIKE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L80F71BI-65XX-GMUE-SEU6-F640ECRGNROW}	SmikehRIKE.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNSERVICES\SmikehRIKE = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe"	SmikehRIKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES	SmikehRIKE.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SmikehRIKE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SmikehRIKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SmikehRIKE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SmikehRIKE.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
1992	SmikehRIKE.exe
1976	SmikehRIKE.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1992	1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	27
PID 1172 wrote to memory of 1992	1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	27
PID 1172 wrote to memory of 1992	1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	27
PID 1172 wrote to memory of 1992	1172	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	27
PID 1992 wrote to memory of 1976	1992	SmikehRIKE.exe	28
PID 1992 wrote to memory of 1976	1992	SmikehRIKE.exe	28
PID 1992 wrote to memory of 1976	1992	SmikehRIKE.exe	28
PID 1992 wrote to memory of 1976	1992	SmikehRIKE.exe	28

C:\Users\Admin\AppData\Local\Temp\c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
"C:\Users\Admin\AppData\Local\Temp\c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe
    [load]
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetWindowsHookEx
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
memory/1976-67-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads