c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

General

Target

c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
Size

60KB
MD5

12c8af8a84cef2695932f7d2b6db3270
SHA1

93559dc68581bde6c143eeef1d54f2c31581df22
SHA256

c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840
SHA512

c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e
SSDEEP

768:7vWC/cSHQh/nJwKKQ2M29HSLmqTCxtt5HKL0qWm7wO+8i:R/cSHQJh2D9HSLmq2xP0wO+8i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	SmikehRIKE.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	SmikehRIKE.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	SmikehRIKE.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe:*:Enabled:SmikehRIKE"	SmikehRIKE.exe

Executes dropped EXE 2 IoCs

pid	Process
4568	SmikehRIKE.exe
3440	SmikehRIKE.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L80F71BI-65XX-GMUE-SEU6-F640ECRGNROW}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe"	SmikehRIKE.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L80F71BI-65XX-GMUE-SEU6-F640ECRGNROW}	SmikehRIKE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES	SmikehRIKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RUNSERVICES\SmikehRIKE = "C:\\Users\\Admin\\AppData\\Roaming\\SmikehRIKE.exe"	SmikehRIKE.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SmikehRIKE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SmikehRIKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SmikehRIKE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	SmikehRIKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4508	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
4568	SmikehRIKE.exe
3440	SmikehRIKE.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4568	4508	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	80
PID 4508 wrote to memory of 4568	4508	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	80
PID 4508 wrote to memory of 4568	4508	c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe	80
PID 4568 wrote to memory of 3440	4568	SmikehRIKE.exe	81
PID 4568 wrote to memory of 3440	4568	SmikehRIKE.exe	81
PID 4568 wrote to memory of 3440	4568	SmikehRIKE.exe	81

C:\Users\Admin\AppData\Local\Temp\c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe
"C:\Users\Admin\AppData\Local\Temp\c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe
  2⤵
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Maps connected drives based on registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe
    [load]
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - Adds Run key to start application
    - Maps connected drives based on registry
    - Suspicious use of SetWindowsHookEx
    PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit
C:\Users\Admin\AppData\Roaming\SmikehRIKE.exe

Filesize
60KB

MD5
12c8af8a84cef2695932f7d2b6db3270

SHA1
93559dc68581bde6c143eeef1d54f2c31581df22

SHA256
c2c62cc89d4483fd2be6e0b6b7cf6dc16810440ac94294fe7f52a2cde7584840

SHA512
c3f03f65bfab0a9a5d65f5c7258e251a1bfb210b2cadcfc7e92e8cb5a4d6b156feaeaf4d99f9e9e43a9118a20498e49801cc22e379db036f139db8b3dab8e73e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads