7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693

General

Target

7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
Size

88KB
MD5

516d5d5e85671aa6058c5c1660a50700
SHA1

adbf1edced18ff95c3d3c9576638b796b3d6ca12
SHA256

7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693
SHA512

a522c27447ba3287112dd4fcaf4638086acb1d8aa368575a5a7dc1cdc5d4618e69f1eedc2376a84044f0dc097eeaffceb5bc550f5a395a816b596ae8734390a4
SSDEEP

768:vuWgcPFxeeja8yS9dL+LBzknrfBw6lkuVdE0cNYcAjPuDxfb:TPFxeevX3L+LBzkVw29VdjcNYcADa

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	ravgjmon.exe

Deletes itself 1 IoCs

pid	Process
888	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ravgjmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ravgjmon = "C:\\Program Files\\NetMeeting\\ravgjmon.exe"	ravgjmon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\NetMeeting\ravgjmon.exe	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
File created	C:\Program Files\NetMeeting\ravgjmon.exe	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
File opened for modification	C:\Program Files\NetMeeting\ravgjmon.cfg	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
File opened for modification	C:\Program Files\NetMeeting\ravgjmon.dat	ravgjmon.exe
File created	C:\Program Files\NetMeeting\ravgjmon.dat	ravgjmon.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
1496	ravgjmon.exe
1496	ravgjmon.exe
1496	ravgjmon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	ravgjmon.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1496	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	27
PID 1788 wrote to memory of 1496	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	27
PID 1788 wrote to memory of 1496	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	27
PID 1788 wrote to memory of 1496	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	27
PID 1496 wrote to memory of 1380	1496	ravgjmon.exe	15
PID 1788 wrote to memory of 888	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	28
PID 1788 wrote to memory of 888	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	28
PID 1788 wrote to memory of 888	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	28
PID 1788 wrote to memory of 888	1788	7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe
  "C:\Users\Admin\AppData\Local\Temp\7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files\NetMeeting\ravgjmon.exe
    "C:\Program Files\NetMeeting\ravgjmon.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693.exe"
    3⤵
    - Deletes itself
    PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NetMeeting\ravgjmon.exe

Filesize
88KB

MD5
516d5d5e85671aa6058c5c1660a50700

SHA1
adbf1edced18ff95c3d3c9576638b796b3d6ca12

SHA256
7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693

SHA512
a522c27447ba3287112dd4fcaf4638086acb1d8aa368575a5a7dc1cdc5d4618e69f1eedc2376a84044f0dc097eeaffceb5bc550f5a395a816b596ae8734390a4

Download Submit
C:\Program Files\NetMeeting\ravgjmon.exe

Filesize
88KB

MD5
516d5d5e85671aa6058c5c1660a50700

SHA1
adbf1edced18ff95c3d3c9576638b796b3d6ca12

SHA256
7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693

SHA512
a522c27447ba3287112dd4fcaf4638086acb1d8aa368575a5a7dc1cdc5d4618e69f1eedc2376a84044f0dc097eeaffceb5bc550f5a395a816b596ae8734390a4

Download Submit
\Program Files\NetMeeting\ravgjmon.exe

Filesize
88KB

MD5
516d5d5e85671aa6058c5c1660a50700

SHA1
adbf1edced18ff95c3d3c9576638b796b3d6ca12

SHA256
7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693

SHA512
a522c27447ba3287112dd4fcaf4638086acb1d8aa368575a5a7dc1cdc5d4618e69f1eedc2376a84044f0dc097eeaffceb5bc550f5a395a816b596ae8734390a4

Download Submit
\Program Files\NetMeeting\ravgjmon.exe

Filesize
88KB

MD5
516d5d5e85671aa6058c5c1660a50700

SHA1
adbf1edced18ff95c3d3c9576638b796b3d6ca12

SHA256
7c132163f52c03956cfef1e79e97d593f71ccebb6ff737e9dc1026f012fb0693

SHA512
a522c27447ba3287112dd4fcaf4638086acb1d8aa368575a5a7dc1cdc5d4618e69f1eedc2376a84044f0dc097eeaffceb5bc550f5a395a816b596ae8734390a4

Download Submit
memory/888-59-0x0000000000000000-mapping.dmp

Download
memory/1496-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing