932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

General

Target

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
Size

127KB
MD5

c958a27bf3b24e41e54b0372ca181937
SHA1

31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a
SHA256

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101
SHA512

9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4
SSDEEP

3072:Z88w/5QSenAE8yaMPmC84j29tt9dAnw5KdE:ZknUM9MeCNj29tt9bW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sysmdgr.exe

pid process

308 sysmdgr.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe	sysmdgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe	sysmdgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "C:\\Users\\Admin\\Documents\\Google.com"	sysmdgr.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchost\ImagePath = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	sysmdgr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Loads dropped DLL 2 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

pid	process
1360	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
1360	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysmdgr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Program Files (x86)\\Windows Services\\sysmdgr.exe -rundll32 /SYSTEM32 \"C:\\Windows\\System32\\taskmgr.exe\" \"C:\\Program Files\\Microsoft\\Windows\""	sysmdgr.exe

Drops file in System32 directory 2 IoCs

Processes:

sysmdgr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Microsoft.com	sysmdgr.exe
File created	C:\Windows\SysWOW64\Microsoft.com	sysmdgr.exe

Drops file in Program Files directory 3 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Services\	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
File created	C:\Program Files (x86)\Windows Services\sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
File opened for modification	C:\Program Files (x86)\Windows Services\sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Drops file in Windows directory 2 IoCs

Processes:

sysmdgr.exe

description ioc process

File created C:\Windows\root.exe sysmdgr.exe
File opened for modification C:\Windows\root.exe sysmdgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\root.exe	sysmdgr.exe
File opened for modification	C:\Windows\root.exe	sysmdgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sysmdgr.exe

pid	process
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe
308	sysmdgr.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

pid process

1360 932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

sysmdgr.exe

description	pid	process
Token: SeDebugPrivilege	308	sysmdgr.exe
Token: SeIncreaseQuotaPrivilege	308	sysmdgr.exe
Token: SeSecurityPrivilege	308	sysmdgr.exe
Token: SeTakeOwnershipPrivilege	308	sysmdgr.exe
Token: SeLoadDriverPrivilege	308	sysmdgr.exe
Token: SeSystemProfilePrivilege	308	sysmdgr.exe
Token: SeSystemtimePrivilege	308	sysmdgr.exe
Token: SeProfSingleProcessPrivilege	308	sysmdgr.exe
Token: SeIncBasePriorityPrivilege	308	sysmdgr.exe
Token: SeCreatePagefilePrivilege	308	sysmdgr.exe
Token: SeBackupPrivilege	308	sysmdgr.exe
Token: SeRestorePrivilege	308	sysmdgr.exe
Token: SeShutdownPrivilege	308	sysmdgr.exe
Token: SeDebugPrivilege	308	sysmdgr.exe
Token: SeSystemEnvironmentPrivilege	308	sysmdgr.exe
Token: SeRemoteShutdownPrivilege	308	sysmdgr.exe
Token: SeUndockPrivilege	308	sysmdgr.exe
Token: SeManageVolumePrivilege	308	sysmdgr.exe
Token: 33	308	sysmdgr.exe
Token: 34	308	sysmdgr.exe
Token: 35	308	sysmdgr.exe
Token: 36	308	sysmdgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exesysmdgr.exe

description	pid	process	target process
PID 1360 wrote to memory of 308	1360	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 1360 wrote to memory of 308	1360	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 1360 wrote to memory of 308	1360	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe	sysmdgr.exe
PID 308 wrote to memory of 1180	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4580	308	sysmdgr.exe	backgroundTaskHost.exe
PID 308 wrote to memory of 2360	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2160	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1956	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1360	308	sysmdgr.exe	932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
PID 308 wrote to memory of 2080	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1124	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2736	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4296	308	sysmdgr.exe	DllHost.exe
PID 308 wrote to memory of 3324	308	sysmdgr.exe	StartMenuExperienceHost.exe
PID 308 wrote to memory of 2456	308	sysmdgr.exe	taskhostw.exe
PID 308 wrote to memory of 956	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2728	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 556	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2328	308	sysmdgr.exe	sihost.exe
PID 308 wrote to memory of 1736	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 748	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4488	308	sysmdgr.exe	RuntimeBroker.exe
PID 308 wrote to memory of 1532	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1292	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1332	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1920	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2432	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2704	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1912	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1424	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 332	308	sysmdgr.exe	dwm.exe
PID 308 wrote to memory of 4664	308	sysmdgr.exe	backgroundTaskHost.exe
PID 308 wrote to memory of 3480	308	sysmdgr.exe	SearchApp.exe
PID 308 wrote to memory of 4264	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4852	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 900	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 3656	308	sysmdgr.exe	RuntimeBroker.exe
PID 308 wrote to memory of 2472	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2668	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4304	308	sysmdgr.exe	wmiprvse.exe
PID 308 wrote to memory of 2464	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1280	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2652	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 676	308	sysmdgr.exe	lsass.exe
PID 308 wrote to memory of 872	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1068	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 3232	308	sysmdgr.exe	DllHost.exe
PID 308 wrote to memory of 1652	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1060	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 4796	308	sysmdgr.exe	SppExtComObj.exe
PID 308 wrote to memory of 3020	308	sysmdgr.exe	Explorer.EXE
PID 308 wrote to memory of 1580	308	sysmdgr.exe	spoolsv.exe
PID 308 wrote to memory of 2644	308	sysmdgr.exe	OfficeClickToRun.exe
PID 308 wrote to memory of 1824	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2720	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 636	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 3392	308	sysmdgr.exe	RuntimeBroker.exe
PID 308 wrote to memory of 1416	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1612	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 792	308	sysmdgr.exe	fontdrvhost.exe
PID 308 wrote to memory of 1408	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1800	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 1996	308	sysmdgr.exe	svchost.exe
PID 308 wrote to memory of 2192	308	sysmdgr.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3392

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4016

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4580

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:4664

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:4796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4296

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3232

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:4304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1124

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe
"C:\Users\Admin\AppData\Local\Temp\932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1360

C:\Program Files (x86)\Windows Services\sysmdgr.exe
"C:\Program Files (x86)\Windows Services\sysmdgr.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Sets service image path in registry
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Services\sysmdgr.exe
Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
C:\Program Files (x86)\Windows Services\sysmdgr.exe
Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
C:\Program Files (x86)\Windows Services\sysmdgr.exe
Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
C:\Program Files (x86)\Windows Services\sysmdgr.exe
Filesize
127KB

MD5
c958a27bf3b24e41e54b0372ca181937

SHA1
31e19ae91ae99dffc29aaa406f7ec92bcacb0c3a

SHA256
932bac29e35c878b8d08b3b7f1ba54a9ff2168ca19a0bdc206dc6253d20d0101

SHA512
9878f0e6648ad0b779c486c16476390ce6efc380d8447f1d31c762407d53b5e387683957700e0a74d1685764af0e95e5e2c8f22b8e801fb6e3611731280d4fe4

Download Submit
memory/308-134-0x0000000000000000-mapping.dmp

Download
memory/308-137-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/308-140-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-133-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-141-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads