918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f

General

Target

918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe
Size

143KB
MD5

937a045f22268716ddf831261909a0d0
SHA1

ea90fdfeec6d86a30f2a402dd69051ff2d91e321
SHA256

918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f
SHA512

0e69dac5145643a02800c37b7875b7406a9099c95f0da703bbeb69123b6b8b57d2115d46af7529f9c386fa45e3c711f17ded5910774d8c1742054c4a6b90dff5
SSDEEP

3072:uVsUDpx0vbcHYMBsWTD8YasmPLjNHiYwjZrtK64Qdnos:uVsJc+WMYSPLjEdjZJn4Q

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1516	mspaint.exe
1516	mspaint.exe
1516	mspaint.exe
1516	mspaint.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1956	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	26
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 576 wrote to memory of 1640	576	918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe	27
PID 1956 wrote to memory of 1516	1956	svchost.exe	28
PID 1956 wrote to memory of 1516	1956	svchost.exe	28
PID 1956 wrote to memory of 1516	1956	svchost.exe	28
PID 1956 wrote to memory of 1516	1956	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe
"C:\Users\Admin\AppData\Local\Temp\918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\mspaint.exe
    "C:\Windows\system32\mspaint.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1516
- C:\Users\Admin\AppData\Local\Temp\918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe
  "C:\Users\Admin\AppData\Local\Temp\918a8bc0b19c1dd25e62212a96da3424c64260dbe44e317b04724e30e3bcd82f.exe"
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/576-58-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-75-0x00000000002B0000-0x00000000002E9000-memory.dmp

Filesize
228KB

Download
memory/1516-74-0x00000000005C1000-0x00000000005C3000-memory.dmp

Filesize
8KB

Download
memory/1640-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1640-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1640-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1640-65-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1640-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1956-59-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download
memory/1956-76-0x00000000000C0000-0x00000000000E1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing