bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186

General

Target

bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Size

72KB
MD5

0663a579a6c5c9fc028afcbae42c7257
SHA1

c368810bb3335edc53c16a097cc1132492393c88
SHA256

bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186
SHA512

da5d068839053038eff55c71dad68957b1f9021b445da32f3f95ee7a4c539689751301d2fcd9b47091f8f9830e4f0373dacb84a39b87a4ae263d263d0cdbba8e
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2U:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPA

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	backup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4156	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
1804	backup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 1804	4156	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe	33
PID 4156 wrote to memory of 1804	4156	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe	33
PID 4156 wrote to memory of 1804	4156	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe	33

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe
"C:\Users\Admin\AppData\Local\Temp\bf6282b998f66e7a5fdf347295a6f4c4a9575efcd75f35b32fc9e6aac7b3e186.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4156
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  PID:3272
- C:\Users\Admin\AppData\Local\Temp\3823756984\backup.exe
  C:\Users\Admin\AppData\Local\Temp\3823756984\backup.exe C:\Users\Admin\AppData\Local\Temp\3823756984\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3823756984\backup.exe

Filesize
19KB

MD5
f2e9e2640e12dd7978f0b804b7f73ea3

SHA1
4bdd1eaf51889a31e97c9758880f55d2caa2247f

SHA256
433863e7a7a01b42a207fe6429190115375763f9db32676820a992d6239ebac8

SHA512
76192e4a735021ab1bef7ea06cc873dcd31184b4d1889f750b905d82098d63876453b219943702087f95febc32bc6f5f7a23d4f03ed270556e7d4a07067472b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3823756984\backup.exe

Filesize
43KB

MD5
75e4785eae4550812e61ea7ca347a5c6

SHA1
1ae840ffa72bd0f533edfc8b3dd715e629a481f6

SHA256
57351591dbc52808399e0bc2cecdbd4299faa1b574821dcf46833164a3d51b23

SHA512
b8fa3075cc796e4879267fca6a2bcbf74d07b3a7db5662d59c37db77bfa25905dde29507c8138156df42aa6c629a50bf1ddcb849da9f3749c75f01ef1f4d67e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
56KB

MD5
cda1de321fe963e1d54e08e47f52f74a

SHA1
73b9bbea2ccc62e532df149a195897e4f75c1ce5

SHA256
c4fac95ce9da7e2250a195b2ea403a15e2ca3d34bf75a81187b40832706b7fc6

SHA512
0ebbffbd6fedc6b847d5abfd125b816ef233c005377dbdeb56466060010ed42eb936f22441bc6e193d5f99a7bce13fd583a1e21c3e0a278d5442df4e39348ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
43KB

MD5
8a8ef42f7230a61a270677181632a39d

SHA1
c2678a06ab317c6c020b876941dfde4d2a4fe2a3

SHA256
962d7e3d25f78f7ec28c2915da330a6591020abaa7bffbb57a14132a3a1dd2b5

SHA512
b57d0c2472fa6d64b8d5ad69541650205b5352cbe9df717eaf7b1fac1885290018a039f774807900c9612b7e02d32970ed24d608c489b7d08160bce0bfeb8494

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
20KB

MD5
c1139d7de6d6f26193c8cadd03141e67

SHA1
98bc019bd6a20b6815e1697e66ad1bd09e205690

SHA256
01b623ec8bc06e676b03cf6ef43cee608c134a5890222ff42c15ee752acd3659

SHA512
f29b218e77e8e3cf3171f00b874a74dbcb7960f72953cbf09de9ab03106717f87d98bf675227a39ca056c54b40d5908279eed8b070c08c86c9a0f93ca498782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
29KB

MD5
0d86ad241df97e7c51ecb9823a00391f

SHA1
7546fda3931734ecb9460302e750776b53ce1b9f

SHA256
e7602ca3f92e7e8b79c91d43fd69a17f513b40aa6052f277e0ab2531e5335020

SHA512
6857caa047b9fdb0519b05ba6eea135b1e2e6a46e961fd9dacdb5dace2209e09386b1e52a7186cf7d29600b03717b0d3b2c3d18aa7e9c32df314bffda1443b9c

Download Submit
memory/1804-134-0x0000000000000000-mapping.dmp

Download
memory/1980-144-0x0000000000000000-mapping.dmp

Download
memory/3272-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads