84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e

General

Target

84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe
Size

160KB
MD5

c15d65bf23b9ea788e1189f29b67f1cc
SHA1

b2f569d3552cba767c46c43b8b0fbe9cf702c04f
SHA256

84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e
SHA512

279ebfdcd9c0d42a2d4984785e0504c3c88a8b237b4ec7beb340b16f160ceea6d97e432aada7021511fad700834745b8cd2dd9f22783e8c7058efcbff2c3359c
SSDEEP

3072:jSy7JYQLxdtE7e/+Q1/src9LEZFotiVIltWUaMZo:jPmexjE7e/mnZ+iq6lMZo

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\865600430 = "C:\\ProgramData\\msqdzuvwo.exe"	msiexec.exe

Blocklisted process makes network request 21 IoCs

flow	pid	Process
2	1952	msiexec.exe
3	1952	msiexec.exe
5	1952	msiexec.exe
6	1952	msiexec.exe
7	1952	msiexec.exe
9	1952	msiexec.exe
10	1952	msiexec.exe
11	1952	msiexec.exe
13	1952	msiexec.exe
14	1952	msiexec.exe
15	1952	msiexec.exe
18	1952	msiexec.exe
19	1952	msiexec.exe
20	1952	msiexec.exe
21	1952	msiexec.exe
22	1952	msiexec.exe
23	1952	msiexec.exe
24	1952	msiexec.exe
25	1952	msiexec.exe
26	1952	msiexec.exe
27	1952	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
1952	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\Run	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe
1952	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe
2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26
PID 2044 wrote to memory of 1952	2044	84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe	26

C:\Users\Admin\AppData\Local\Temp\84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe
"C:\Users\Admin\AppData\Local\Temp\84bcba04a0ca8fb5b4f7d1acb98a31e61ebbff5ae9749997c1893f0aa340c22e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Adds policy Run key to start application
  - Blocklisted process makes network request
  - Deletes itself
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-57-0x0000000000000000-mapping.dmp

Download
memory/1952-61-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/1952-60-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1952-59-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1952-62-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2044-56-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads