8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a

General

Target

8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
Size

44KB
MD5

03fa1eb2c8ed7bcdff4d18a7c54ec9a0
SHA1

0f3d49bdf6d38d57f97799bff106a65a14acf29d
SHA256

8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a
SHA512

14b207810325049c286db326ba2cabd2b94f28217bd5a8bc3dddae00f01c52e24eb87416d7743dd44a941564ddb946a0ef2c5f4fa9ed36814096bef462a0787f
SSDEEP

768:xwSusJflkizHZN/XS8yxxD+hAckJ1jv/R7a55vGFdBTzHINxmsG:dJWE3C8yfD2AckJx39ajeloNxm

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\beep.sys	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
File created	C:\Windows\SysWOW64\drivers\beep.sys	regedit32.exe

Executes dropped EXE 1 IoCs

pid	Process
1676	regedit32.exe

Deletes itself 1 IoCs

pid	Process
1360	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit32.exe	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
File created	C:\Windows\SysWOW64\regedit32.exe	regedit32.exe
File created	C:\Windows\SysWOW64\regedit32.exe	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
Token: SeIncBasePriorityPrivilege	1676	regedit32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1676	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	28
PID 1976 wrote to memory of 1676	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	28
PID 1976 wrote to memory of 1676	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	28
PID 1976 wrote to memory of 1676	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	28
PID 1976 wrote to memory of 1360	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	29
PID 1976 wrote to memory of 1360	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	29
PID 1976 wrote to memory of 1360	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	29
PID 1976 wrote to memory of 1360	1976	8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe	29
PID 1676 wrote to memory of 1756	1676	regedit32.exe	30
PID 1676 wrote to memory of 1756	1676	regedit32.exe	30
PID 1676 wrote to memory of 1756	1676	regedit32.exe	30
PID 1676 wrote to memory of 1756	1676	regedit32.exe	30

C:\Users\Admin\AppData\Local\Temp\8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe
"C:\Users\Admin\AppData\Local\Temp\8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\regedit32.exe
  "C:\Windows\system32\regedit32.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\REGEDI~1.EXE > nul
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8125BF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\beep.sys

Filesize
2KB

MD5
0e1d8c703b0b083560b95cd93b45c146

SHA1
a1cb6b878445a2417ddd35d927255432eb5074e2

SHA256
d0130627ab480faff1d9a67856f074c1232c7b19ff25dc951c18bb0afdde482b

SHA512
ad0e0dbb4dd7cd9783dda6d91fc2be3d1c8091abdf27f3abb2a0325e1e10de0a452f11090ceb016c303c60b77ad4cf9c52ba74ba72f875f9c3ba565934bdcfde

Download Submit
C:\Windows\SysWOW64\regedit32.exe

Filesize
44KB

MD5
03fa1eb2c8ed7bcdff4d18a7c54ec9a0

SHA1
0f3d49bdf6d38d57f97799bff106a65a14acf29d

SHA256
8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a

SHA512
14b207810325049c286db326ba2cabd2b94f28217bd5a8bc3dddae00f01c52e24eb87416d7743dd44a941564ddb946a0ef2c5f4fa9ed36814096bef462a0787f

Download Submit
C:\Windows\SysWOW64\regedit32.exe

Filesize
44KB

MD5
03fa1eb2c8ed7bcdff4d18a7c54ec9a0

SHA1
0f3d49bdf6d38d57f97799bff106a65a14acf29d

SHA256
8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a

SHA512
14b207810325049c286db326ba2cabd2b94f28217bd5a8bc3dddae00f01c52e24eb87416d7743dd44a941564ddb946a0ef2c5f4fa9ed36814096bef462a0787f

Download Submit
\Windows\SysWOW64\regedit32.exe

Filesize
44KB

MD5
03fa1eb2c8ed7bcdff4d18a7c54ec9a0

SHA1
0f3d49bdf6d38d57f97799bff106a65a14acf29d

SHA256
8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a

SHA512
14b207810325049c286db326ba2cabd2b94f28217bd5a8bc3dddae00f01c52e24eb87416d7743dd44a941564ddb946a0ef2c5f4fa9ed36814096bef462a0787f

Download Submit
\Windows\SysWOW64\regedit32.exe

Filesize
44KB

MD5
03fa1eb2c8ed7bcdff4d18a7c54ec9a0

SHA1
0f3d49bdf6d38d57f97799bff106a65a14acf29d

SHA256
8125bf3a66e4229d2c1f338fbb22ef905399eef6a9b810ab127df2657fe3d72a

SHA512
14b207810325049c286db326ba2cabd2b94f28217bd5a8bc3dddae00f01c52e24eb87416d7743dd44a941564ddb946a0ef2c5f4fa9ed36814096bef462a0787f

Download Submit
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1976-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1976-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing