34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5

General

Target

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Size

87KB
MD5

137d3c3ba473d353780e70812e70e866
SHA1

998431781c4159d4f09aa0cf1df3a095f61cffa8
SHA256

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5
SHA512

066e968bfc9a94f5952200969bac720f8289c81d352e84397cee51149b2674a7bcbad87158d998451a2e31b72bf96820b05551d05cab6fa53d382e36d300f7fe
SSDEEP

1536:D/4vBHlDwtTczP20u39yd8pNuIm0LRv5yc6LAjKbUz+3Jkp6n5:DgvBH5KQhu3OImi5yLX/

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\collector1"	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

description	pid	process
Token: SeDebugPrivilege	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Token: 33	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
Token: SeIncBasePriorityPrivilege	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

pid process

4112 34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

pid	process
4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.execsc.exe

description	pid	process	target process
PID 4112 wrote to memory of 4568	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 4112 wrote to memory of 4568	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 4112 wrote to memory of 4568	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	csc.exe
PID 4568 wrote to memory of 2260	4568	csc.exe	cvtres.exe
PID 4568 wrote to memory of 2260	4568	csc.exe	cvtres.exe
PID 4568 wrote to memory of 2260	4568	csc.exe	cvtres.exe
PID 4112 wrote to memory of 4256	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe
PID 4112 wrote to memory of 4256	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe
PID 4112 wrote to memory of 4256	4112	34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe
"C:\Users\Admin\AppData\Local\Temp\34d0e62117f9242410bd4e46f6b3bb112815eb723cea74138f3b36806d5c03f5.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nzp3n_85.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD680.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD67F.tmp"
3⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- NTFS ADS
PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD680.tmp

Filesize
1KB

MD5
9692f752956609ea22deaafc865f7a9f

SHA1
5d0222ee63befa1bceefd1794d0bce90aace0da4

SHA256
7b0237a798f3a263477b261eeef2fc0417b462c031cfba3ece9eefb370999443

SHA512
5be2cf7d7622a57630100c12a930b675c1849dfb87d081c5abfe42331af589a789a0089a052d2d6c5bc4b82ea416547ecb6d4063bd06a57cd9a15c11ed9c2173

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzp3n_85.dll

Filesize
4KB

MD5
54ebf6ce3c6c41d8ade1f0d970a69c0f

SHA1
77f0f16ddb5d2344bd81ca6ea7ccfd0026d6fbd6

SHA256
5513eb50c3e0f19f31604da70e5dd777dc4a868ad5e2dc5fe72df3229b795492

SHA512
59c7ec721d6023ea0f9ec926837ec37597b1cce2e18af3b559746aa520d60a3ff460123a0a4dcbdfc1ec69d1dc3e8bd56a50a5066b73a8a13539b0c15c7bf736

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD67F.tmp

Filesize
652B

MD5
dde34e0c7a627a985d806fb9265128bd

SHA1
060434fbb8d43f01e4c6558f0d4c670a58022268

SHA256
4eca7ace263e5bd3689d36ca337d3efb97ad004d932bc331195dc72717bc0865

SHA512
3ad89830095be137e736fcaf5f722b4dfb1e68ef5850f622514787cc229b13ce64404e3374c7f54acdd18ce2e8eab7b3c18307e663ec516056841bffbeaada0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzp3n_85.0.cs

Filesize
658B

MD5
0015048d5687060c80cf9898ec0f2e43

SHA1
43ba7edc4b5eb3f18f37a8772c9eb6289827d183

SHA256
05062e993ff31afbfab5b531a4f431c32cd8ea0ab7373878e6a838349eab8b62

SHA512
ef1054487760b0e312016fdf2784480d55f6592b94051bf47f8d713d6304b1516f5abc845e8781022727286a798bc54c0b8fd9ef422026b0140494d4d215ef54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nzp3n_85.cmdline

Filesize
187B

MD5
0a732a40fb0665d94cbffdfbf42b1a61

SHA1
a3fb74f5d8514a77afae09b6ed1f81a6b7291ea3

SHA256
2dd0f0cad1c55a950cf4d907ead321c678295dc10071b53a8f538d29649f4841

SHA512
47be918fda6c1c4f72b77f00756cedbbf2183b947d8bb809ab83bbb4fb68df8c14202be605f03aa4afd2e2b858f268a8ce5c71f646754fdb1897126e9bea2abb

Download Submit
memory/2260-136-0x0000000000000000-mapping.dmp

Download
memory/4112-132-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4112-141-0x0000000074C70000-0x0000000075221000-memory.dmp

Filesize
5.7MB

Download
memory/4256-140-0x0000000000000000-mapping.dmp

Download
memory/4568-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads