85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566

General

Target

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
Size

309KB
MD5

357dce7de8eaf0697a38d7c08d4283ea
SHA1

71e813b63cb582dee2e4729d99ca032d43367d4d
SHA256

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566
SHA512

f3b2e191daa046e544ca07462448512ae581e6cd6e82d3cab87dcf1dfea21673fdf1817753a7b1b9e26c99f28bc80e45f73fa53fb33221fc8faf73886d98fdd2
SSDEEP

6144:DS6vKkb0M+TPVk22Dy5iuXqXP8cEfpb2hmLctK:DFZYMUNk22GvaXP0pb0mLct

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SoftwareProtection.exe~A5B2.tmp

pid process

900 SoftwareProtection.exe
764 ~A5B2.tmp
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

996 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exeSoftwareProtection.exe

pid process

2008 85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
900 SoftwareProtection.exe

pid	process
996	cmd.exe

pid	process
2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
900	SoftwareProtection.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\forfgMgr = "C:\\Users\\Admin\\AppData\\Roaming\\SoftwareProtection.exe"	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SoftwareProtection.exeExplorer.EXE

pid	process
900	SoftwareProtection.exe
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1216 Explorer.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exeSoftwareProtection.exe

pid process

2008 85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
900 SoftwareProtection.exe

pid	process
1216	Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1216	Explorer.EXE

pid	process
2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
900	SoftwareProtection.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exeSoftwareProtection.exe~A5B2.tmpcmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 900	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	SoftwareProtection.exe
PID 2008 wrote to memory of 900	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	SoftwareProtection.exe
PID 2008 wrote to memory of 900	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	SoftwareProtection.exe
PID 2008 wrote to memory of 900	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	SoftwareProtection.exe
PID 2008 wrote to memory of 996	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	cmd.exe
PID 2008 wrote to memory of 996	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	cmd.exe
PID 2008 wrote to memory of 996	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	cmd.exe
PID 2008 wrote to memory of 996	2008	85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe	cmd.exe
PID 900 wrote to memory of 764	900	SoftwareProtection.exe	~A5B2.tmp
PID 900 wrote to memory of 764	900	SoftwareProtection.exe	~A5B2.tmp
PID 900 wrote to memory of 764	900	SoftwareProtection.exe	~A5B2.tmp
PID 900 wrote to memory of 764	900	SoftwareProtection.exe	~A5B2.tmp
PID 764 wrote to memory of 1216	764	~A5B2.tmp	Explorer.EXE
PID 996 wrote to memory of 396	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 396	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 396	996	cmd.exe	attrib.exe
PID 996 wrote to memory of 396	996	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

396 attrib.exe

pid	process
396	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe
"C:\Users\Admin\AppData\Local\Temp\85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\SoftwareProtection.exe
"C:\Users\Admin\AppData\Roaming"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\~A5B2.tmp
1216 137634 900
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
/C 7119994.cmd
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566.exe"
4⤵
- Views/modifies file attributes
PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7119994.cmd

Filesize
285B

MD5
a26d09aa744fcdc07492d35414b079a6

SHA1
5a9bd58765a92d67361e15f37d4eaa12e7cb8824

SHA256
7322705d5b889926efa89093ed9e46087f15ca912bb9c625fc419f18b135aa20

SHA512
41fc67247124ef91252aa34b32bd9af5616fe66747e7fa6153a4db1d8712c950084e75db970fb9789a23baf2e46929378f47eebd272a7568a3e42b4c6b8741b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~A5B2.tmp

Filesize
7KB

MD5
3be01b4aaf3e553a1b58076f79550d5f

SHA1
4460dee325cc58a097f5d01a79764979dd07deff

SHA256
076eca550cbbb0851012dc0d3cd76c418436d4e57369b0724cef61c1ec83c4b3

SHA512
e392028e6a5a4553175f1941d6c6ff3962e0ee95331c8408efed0a5612e222c30e86d9dc7eff01dd8db10eb3c6abcd31ead8ff6982e33c91b72a6278e93a7e55

Download Submit
C:\Users\Admin\AppData\Roaming\SoftwareProtection.exe

Filesize
309KB

MD5
357dce7de8eaf0697a38d7c08d4283ea

SHA1
71e813b63cb582dee2e4729d99ca032d43367d4d

SHA256
85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566

SHA512
f3b2e191daa046e544ca07462448512ae581e6cd6e82d3cab87dcf1dfea21673fdf1817753a7b1b9e26c99f28bc80e45f73fa53fb33221fc8faf73886d98fdd2

Download Submit
\Users\Admin\AppData\Local\Temp\~A5B2.tmp

Filesize
7KB

MD5
3be01b4aaf3e553a1b58076f79550d5f

SHA1
4460dee325cc58a097f5d01a79764979dd07deff

SHA256
076eca550cbbb0851012dc0d3cd76c418436d4e57369b0724cef61c1ec83c4b3

SHA512
e392028e6a5a4553175f1941d6c6ff3962e0ee95331c8408efed0a5612e222c30e86d9dc7eff01dd8db10eb3c6abcd31ead8ff6982e33c91b72a6278e93a7e55

Download Submit
\Users\Admin\AppData\Roaming\SoftwareProtection.exe

Filesize
309KB

MD5
357dce7de8eaf0697a38d7c08d4283ea

SHA1
71e813b63cb582dee2e4729d99ca032d43367d4d

SHA256
85e820a74f8c40882f50def7ac61bf97ce3cf12272cf8965208db7fe0c33d566

SHA512
f3b2e191daa046e544ca07462448512ae581e6cd6e82d3cab87dcf1dfea21673fdf1817753a7b1b9e26c99f28bc80e45f73fa53fb33221fc8faf73886d98fdd2

Download Submit
memory/396-74-0x0000000000000000-mapping.dmp

Download
memory/764-68-0x0000000000000000-mapping.dmp

Download
memory/900-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/900-60-0x0000000000000000-mapping.dmp

Download
memory/996-64-0x0000000000000000-mapping.dmp

Download
memory/1216-70-0x0000000002980000-0x00000000029EE000-memory.dmp

Filesize
440KB

Download
memory/1216-75-0x0000000002980000-0x00000000029EE000-memory.dmp

Filesize
440KB

Download
memory/2008-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2008-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2008-58-0x00000000002F0000-0x0000000000352000-memory.dmp

Filesize
392KB

Download
memory/2008-57-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2008-56-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads