932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

General

Target

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
Size

127KB
MD5

c958a27bf3b24e41e54b0372ca181937
SHA1

31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a
SHA256

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101
SHA512

9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4
SSDEEP

3072:Z88w/5QSenAE8yaMPmC84j29tt9dAnw5KdE:ZknUM9MeCNj29tt9bW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sysmdgr.exe

pid process

620 sysmdgr.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	sysmdgr.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchost\ImagePath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	sysmdgr.exe

Loads dropped DLL 2 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

pid	process
868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Program Files (x86)\\Windows Services\\sysmdgr.exe -rundll32 /SYSTEM32 \"C:\\Windows\\System32\\taskmgr.exe\" \"C:\\Program Files\\Microsoft\\Windows\""	sysmdgr.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmdgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Microsoft.com	sysmdgr.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.com	sysmdgr.exe

Drops file in Program Files directory 3 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Services\sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
File opened for modification	C:\Program Files (x86)\Windows Services\sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
File opened for modification	C:\Program Files (x86)\Windows Services\	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Drops file in Windows directory 2 IoCs

Processes:

sysmdgr.exe

description ioc process

File opened for modification C:\Windows\root.exe sysmdgr.exe
File created C:\Windows\root.exe sysmdgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\root.exe	sysmdgr.exe
File created	C:\Windows\root.exe	sysmdgr.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

sysmdgr.exe

pid	process
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe
620	sysmdgr.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

pid process

868 932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sysmdgr.exe

description	pid	process
Token: SeDebugPrivilege	620	sysmdgr.exe
Token: SeIncreaseQuotaPrivilege	620	sysmdgr.exe
Token: SeSecurityPrivilege	620	sysmdgr.exe
Token: SeTakeOwnershipPrivilege	620	sysmdgr.exe
Token: SeLoadDriverPrivilege	620	sysmdgr.exe
Token: SeSystemProfilePrivilege	620	sysmdgr.exe
Token: SeSystemtimePrivilege	620	sysmdgr.exe
Token: SeProfSingleProcessPrivilege	620	sysmdgr.exe
Token: SeIncBasePriorityPrivilege	620	sysmdgr.exe
Token: SeCreatePagefilePrivilege	620	sysmdgr.exe
Token: SeBackupPrivilege	620	sysmdgr.exe
Token: SeRestorePrivilege	620	sysmdgr.exe
Token: SeShutdownPrivilege	620	sysmdgr.exe
Token: SeDebugPrivilege	620	sysmdgr.exe
Token: SeSystemEnvironmentPrivilege	620	sysmdgr.exe
Token: SeRemoteShutdownPrivilege	620	sysmdgr.exe
Token: SeUndockPrivilege	620	sysmdgr.exe
Token: SeManageVolumePrivilege	620	sysmdgr.exe
Token: 33	620	sysmdgr.exe
Token: 34	620	sysmdgr.exe
Token: 35	620	sysmdgr.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exesysmdgr.exe

description	pid	process	target process
PID 868 wrote to memory of 620	868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 868 wrote to memory of 620	868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 868 wrote to memory of 620	868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 868 wrote to memory of 620	868	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 620 wrote to memory of 800	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 260	620	sysmdgr.exe	smss.exe
PID 620 wrote to memory of 876	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 2028	620	sysmdgr.exe	wmiprvse.exe
PID 620 wrote to memory of 840	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 600	620	sysmdgr.exe	spoolsv.exe
PID 620 wrote to memory of 332	620	sysmdgr.exe	csrss.exe
PID 620 wrote to memory of 1132	620	sysmdgr.exe	taskhost.exe
PID 620 wrote to memory of 240	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 416	620	sysmdgr.exe	winlogon.exe
PID 620 wrote to memory of 584	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 1916	620	sysmdgr.exe	wmiprvse.exe
PID 620 wrote to memory of 484	620	sysmdgr.exe	lsm.exe
PID 620 wrote to memory of 660	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 1192	620	sysmdgr.exe	Dwm.exe
PID 620 wrote to memory of 744	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 476	620	sysmdgr.exe	lsass.exe
PID 620 wrote to memory of 380	620	sysmdgr.exe	csrss.exe
PID 620 wrote to memory of 1800	620	sysmdgr.exe	sppsvc.exe
PID 620 wrote to memory of 1976	620	sysmdgr.exe	WMIADAP.EXE
PID 620 wrote to memory of 1084	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 460	620	sysmdgr.exe	services.exe
PID 620 wrote to memory of 1260	620	sysmdgr.exe	Explorer.EXE
PID 620 wrote to memory of 368	620	sysmdgr.exe	wininit.exe
PID 620 wrote to memory of 1044	620	sysmdgr.exe	svchost.exe
PID 620 wrote to memory of 868	620	sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1084

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:584

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:1916

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:2028

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
"C:\Users\Admin\AppData\Local\Temp\932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe"
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:868

C:\Program Files (x86)\Windows Services\sysmdgr.exe
"C:\Program Files (x86)\Windows Services\sysmdgr.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Services\sysmdgr.exe

Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
C:\Program Files (x86)\Windows Services\sysmdgr.exe

Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
\Program Files (x86)\Windows Services\sysmdgr.exe

Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
\Program Files (x86)\Windows Services\sysmdgr.exe

Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
memory/620-57-0x0000000000000000-mapping.dmp

Download
memory/620-61-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/620-64-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/868-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/868-55-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/868-63-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download
memory/868-65-0x0000000074900000-0x0000000074EAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads