7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06

General

Target

7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Size

201KB
MD5

25c1edf6b6614bcd7b2bb069ce43da3c
SHA1

3c908bc6da3c488b4db676d7b142714355122dc4
SHA256

7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06
SHA512

fed4eabc05c462bb0b41f8e6748960de036a7664b5055574a0c942ffc54f19752e8de767454f0d127395574e4aa0d8bc2492cd77d23b40ee461937e60c8c8e9f
SSDEEP

6144:A3PNeTr97mhYdrkZ9NdlkPKUFfoYeErysLagemoP4V3L:EVlhZ9Vi5ewy8UQ

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1704	svcmgr.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "C:\\Windows\\SvcManager\\svcnetwork.dll"	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SvcManager\svcnetwork.dat	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
File created	C:\Windows\SvcManager\svcmgr.exe	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
File created	C:\Windows\SvcManager\svcnetwork.dll	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
568	1704	WerFault.exe	33
1740	1048	WerFault.exe	26

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open\command	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open\command\ = "cmd.exe /C PowerShell -WindowStyle Hidden -Command \"& {Add-MpPreference -ExclusionPath C:\\Windows\\SvcManager\\}\""	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = "0"	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open\command	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\ms-settings\shell\open	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f91800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1704	svcmgr.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1736	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	27
PID 1048 wrote to memory of 1736	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	27
PID 1048 wrote to memory of 1736	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	27
PID 1736 wrote to memory of 1496	1736	cmd.exe	29
PID 1736 wrote to memory of 1496	1736	cmd.exe	29
PID 1736 wrote to memory of 1496	1736	cmd.exe	29
PID 1048 wrote to memory of 1936	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	30
PID 1048 wrote to memory of 1936	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	30
PID 1048 wrote to memory of 1936	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	30
PID 1936 wrote to memory of 1572	1936	cmd.exe	32
PID 1936 wrote to memory of 1572	1936	cmd.exe	32
PID 1936 wrote to memory of 1572	1936	cmd.exe	32
PID 1704 wrote to memory of 568	1704	svcmgr.exe	34
PID 1704 wrote to memory of 568	1704	svcmgr.exe	34
PID 1704 wrote to memory of 568	1704	svcmgr.exe	34
PID 1048 wrote to memory of 1740	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	35
PID 1048 wrote to memory of 1740	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	35
PID 1048 wrote to memory of 1740	1048	7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe	35

C:\Users\Admin\AppData\Local\Temp\7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe
"C:\Users\Admin\AppData\Local\Temp\7487dbc7ed6e93df4ec39b16c466c5c7e80f914a9b6fac9d1efad4002223cb06.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in Windows directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c start computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\ComputerDefaults.exe
    computerdefaults.exe
    3⤵
    PID:1572
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1048 -s 1628
  2⤵
  - Program crash
  PID:1740

C:\Windows\SvcManager\svcmgr.exe
C:\Windows\SvcManager\svcmgr.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1704 -s 1092
  2⤵
  - Program crash
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SvcManager\svcmgr.exe

Filesize
838KB

MD5
3c8f0f1f14d9688fe72f2f56a71b6e3e

SHA1
effe2f91636b91c1b66e0faa1cdfcbb481139d0d

SHA256
b7d1a21d5532377d4e4b1a69c7fa1c33c3ced4b6027a3f4b631a0efa87845594

SHA512
c4b399e29c81f93ab8d99838f03cb1e9255eae7e792f45fa3a629e0d5244663f114593b2240f6119f62eafada3edeae02b4376fa891f57abd5fbde32b28efb92

Download Submit
C:\Windows\SvcManager\svcmgr.exe

Filesize
838KB

MD5
3c8f0f1f14d9688fe72f2f56a71b6e3e

SHA1
effe2f91636b91c1b66e0faa1cdfcbb481139d0d

SHA256
b7d1a21d5532377d4e4b1a69c7fa1c33c3ced4b6027a3f4b631a0efa87845594

SHA512
c4b399e29c81f93ab8d99838f03cb1e9255eae7e792f45fa3a629e0d5244663f114593b2240f6119f62eafada3edeae02b4376fa891f57abd5fbde32b28efb92

Download Submit
memory/1048-54-0x0000000001140000-0x0000000001178000-memory.dmp

Filesize
224KB

Download
memory/1496-58-0x000007FEEDBF0000-0x000007FEEE613000-memory.dmp

Filesize
10.1MB

Download
memory/1496-59-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1496-60-0x000007FEED090000-0x000007FEEDBED000-memory.dmp

Filesize
11.4MB

Download
memory/1496-61-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1496-62-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1496-63-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1496-57-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1704-69-0x0000000000B50000-0x0000000000C28000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads