797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a

General

Target

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
Size

588KB
MD5

af0e1464973db49aba5c54b0cea301e2
SHA1

0a23457b3f66d70874ba3d15f07c6499a21d00ac
SHA256

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a
SHA512

e56ea14d3ea1e3c3b735049ae06b89304735723f080f5776a5623452b2b483930555a6a1c423240ee7dbcfd34232cd4640b9c33007f42552e5dfaecbf477e6a2
SSDEEP

12288:PAya3DR+3ZOfI4w+yXOxGHXdC+SOCAnDa6SsWz:P4N+pHpXOx6svOd2dsC

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
1200	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CBD43308-9BC0-8200-F000-47242214BF} = "\"C:\\Users\\Admin\\AppData\\Roaming\\{CBD43308-9BC0-8200-F000-47242214BF}\\lmrwxdejop.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

description	pid	process	target process
PID 1120 set thread context of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 580 set thread context of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

pid process

580 797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

pid	process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
Token: SeSecurityPrivilege	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
Token: SeSecurityPrivilege	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
Token: SeSecurityPrivilege	1056	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

pid process

1120 797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe

description	pid	process	target process
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 1120 wrote to memory of 580	1120	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1200	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	Explorer.EXE
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe
PID 580 wrote to memory of 1056	580	797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe	svchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200

C:\Users\Admin\AppData\Local\Temp\797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
"C:\Users\Admin\AppData\Local\Temp\797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe
"C:\Users\Admin\AppData\Local\Temp\797eb23379c02fd8aa67009f44f66c63ecc07ec954e9b4b20664a8ab4f7c969a.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-57-0x0000000000404880-mapping.dmp

Download
memory/580-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/580-59-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/580-60-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/580-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1056-61-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1056-63-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1056-64-0x0000000010008DE0-mapping.dmp

Download
memory/1056-67-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1056-70-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/1200-69-0x0000000002B50000-0x0000000002B5F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads