34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5

General

Target

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Size

87KB
MD5

137d3c3ba473d353780e70812e70e866
SHA1

998431781c4159d4f09aa0cf1df3a095f61cffa8
SHA256

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5
SHA512

066e968bfc9a94f5952200969bac720f8289c81d352e84397cee51149b2674a7bcbad87158d998451a2e31b72bf96820b05551d05cab6fa53d382e36d300f7fe
SSDEEP

1536:D/4vBHlDwtTczP20u39yd8pNuIm0LRv5yc6LAjKbUz+3Jkp6n5:DgvBH5KQhu3OImi5yLX/

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\collector1"	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	pid	process
Token: SeDebugPrivilege	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Token: 33	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Token: SeIncBasePriorityPrivilege	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

pid process

584 34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

pid	process
584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.execsc.exe

description	pid	process	target process
PID 584 wrote to memory of 1724	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 584 wrote to memory of 1724	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 584 wrote to memory of 1724	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 584 wrote to memory of 1724	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 1724 wrote to memory of 2028	1724	csc.exe	cvtres.exe
PID 1724 wrote to memory of 2028	1724	csc.exe	cvtres.exe
PID 1724 wrote to memory of 2028	1724	csc.exe	cvtres.exe
PID 1724 wrote to memory of 2028	1724	csc.exe	cvtres.exe
PID 584 wrote to memory of 1452	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe
PID 584 wrote to memory of 1452	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe
PID 584 wrote to memory of 1452	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe
PID 584 wrote to memory of 1452	584	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
"C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\byxacy7v.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE1E.tmp"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFE2F.tmp
Filesize
1KB

MD5
e262347d161b3ab29eaacc481ffbe94b

SHA1
c2540db71b1035e6e8c449a3b6527366b2294b17

SHA256
6c96a123a91fc37eeadc031ef578f75c3f67a221fc03b5d6c76ebc0f9208ca5e

SHA512
580c7c5e6708cdded92b6917b5b110cb8a9181a0cda8d3b5473e7b5415db61d7ed303d21209e81ad7160dd97373a4b28424768aba5ce1c30480efe3aaa338eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\byxacy7v.dll
Filesize
4KB

MD5
4320d794a68801a8b69c49543588ed7d

SHA1
70bc67e58468dad4845d6e6582c630036c3dfb32

SHA256
3d4c74badad4e46cb6f7ed93fe546e68d24243736e1928f571173950423a3a59

SHA512
123254a9f57fbecfd1a037f88265e9333811455e38a1b0ba9fe1534fb6cef7ae5f444ad4e2504e317971ba7be3748ab7f686b249bf8da1cb66bfd99010bc2327

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFE1E.tmp
Filesize
652B

MD5
3ad65f26e248db1bee009d25dca4f51a

SHA1
80b8b134e7dd245e2aeb35f869b60cefce7cd249

SHA256
d13429484954cae88ad38c251ae846936579e8679969ab2ec60ff29f86fb60a7

SHA512
257dd755eaaf69d0c253bb9d660e035f5762e5559ab14d917da0b84a7871f1bc6359b15c310934493cd4acc92e18826c02f63c31ce58333e384840811dc9e3a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\byxacy7v.0.cs
Filesize
658B

MD5
0015048d5687060c80cf9898ec0f2e43

SHA1
43ba7edc4b5eb3f18f37a8772c9eb6289827d183

SHA256
05062e993ff31afbfab5b531a4f431c32cd8ea0ab7373878e6a838349eab8b62

SHA512
ef1054487760b0e312016fdf2784480d55f6592b94051bf47f8d713d6304b1516f5abc845e8781022727286a798bc54c0b8fd9ef422026b0140494d4d215ef54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\byxacy7v.cmdline
Filesize
187B

MD5
01e84a73849e679ce336a7436402ed46

SHA1
98e1a6d403e0c283d4a8592aa8b88dcab7311b1c

SHA256
50b53da303d886d847fe2fab3916579b801fed30d264df8a8a625d6de0e76153

SHA512
14bc873659f9668ac6cf0b6185f3bbdaacea945dd0d35f878de043b2e87f1ad4b53b58c968d6d97a2cb4d79ca16fb7d34f7fde24c53961b5a6b299b42d61f0b8

Download Submit
memory/584-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/584-55-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/584-64-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-63-0x0000000000000000-mapping.dmp

Download
memory/1724-56-0x0000000000000000-mapping.dmp

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads