c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387

General

Target

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
Size

108KB
MD5

1d380684c8c460ed76bc5e8f0bdb4d06
SHA1

e5952a55b5572cae241e7d2d4322b8f88be9ab76
SHA256

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387
SHA512

cc6b974175c9dfab9a66acb2b2573468ec7a0d3aed75177af9d339ae352a46149e93278f57b11ed0b80d0962a0580691fdb6340ed2cdb5c28ec96a94c50ee08c
SSDEEP

3072:fNrjKaa7+reA3EdtIMqE1kWEYOIfjm64ZZQ7tF:fNr+ACbYM3TbTfAZZa

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasMan\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SessionEnv\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wecsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KtmRm\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasAuto\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Appinfo\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IKEEXT\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\seclogon\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TapiSrv\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exesvchost.exe

pid process

1984 c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
1152 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

description ioc process

File created C:\Windows\SysWOW64\wbem\cimmentsa.dll c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

pid	process
1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
1152	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wbem\cimmentsa.dll	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

Drops file in Windows directory 13 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_439AF75B6A1F720FBC0E63A7A6E54997	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_439AF75B6A1F720FBC0E63A7A6E54997	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-4e-df-e7-c6-cd\WpadDecisionTime = 30d0b88267ffd801	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{149BDFE0-9D36-42C5-8EC9-950921B45025}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{149BDFE0-9D36-42C5-8EC9-950921B45025}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{149BDFE0-9D36-42C5-8EC9-950921B45025}\WpadNetworkName = "Network 2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2d\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-4e-df-e7-c6-cd	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-4e-df-e7-c6-cd\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-4e-df-e7-c6-cd\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{149BDFE0-9D36-42C5-8EC9-950921B45025}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit = "256000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{149BDFE0-9D36-42C5-8EC9-950921B45025}\WpadDecisionTime = 30d0b88267ffd801	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

472

pid	process
472

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

description	pid	process	target process
PID 1984 wrote to memory of 1336	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1336	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1336	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1336	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1248	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1248	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1248	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1248	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1496	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1496	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1496	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1496	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1628	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1628	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1628	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1628	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1492	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1492	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1492	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1492	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1240	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1240	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1240	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1240	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 792	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 792	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 792	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 792	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 616	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 616	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 616	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 616	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1400	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1400	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1400	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1400	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1108	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1108	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1108	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1108	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1664	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1664	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1664	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1664	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1780	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1780	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1780	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1780	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1788	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1788	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1788	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1788	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1136	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1136	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1136	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 1136	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 964	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 964	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 964	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 964	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 944	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 944	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 944	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1984 wrote to memory of 944	1984	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
"C:\Users\Admin\AppData\Local\Temp\c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1336

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appmgmts.dll" /f
2⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Appinfo\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1496

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppinfoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appinfo.dll" /f
2⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1492

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\IKEEXT\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:792

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\IKEEXTParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ikeext.dll" /f
2⤵
PID:616

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1400

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\iphlpsvcParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\iphlpsvc.dll" /f
2⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\KtmRm\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1664

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\KtmRmParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\msdtckrm.dll" /f
2⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\MSiSCSI\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1788

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\MSiSCSIParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\iscsiexe.dll" /f
2⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\PolicyAgent\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:964

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\PolicyAgentParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ipsecsvc.dll" /f
2⤵
PID:944

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasAuto\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1980

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasAutoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\rasauto.dll" /f
2⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasMan\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1076

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasManParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\rasmans.dll" /f
2⤵
PID:112

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RemoteAccess\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:676

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RemoteAccessParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\mprdim.dll" /f
2⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\seclogon\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1164

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\seclogonParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\seclogon.dll" /f
2⤵
PID:812

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SessionEnv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:296

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SessionEnvParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sessenv.dll" /f
2⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1616

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccessParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ipnathlp.dll" /f
2⤵
PID:624

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TapiSrv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1608

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TapiSrvParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\tapisrv.dll" /f
2⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1192

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TermServiceParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\termsrv.dll" /f
2⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Wecsvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k NetworkServiceAndNoImpersonation
1⤵
PID:928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\wbem\cimmentsa.dll

Filesize
37.8MB

MD5
2505322bdc1b43ea2299636bde55acd6

SHA1
2462967be8b632bf45a989462b15488a1d47f1fe

SHA256
2c4b6a33607dca01e4f49c90a3e7c4853bd6a2504b71f7e421aabcd0ebb0e5ba

SHA512
00b1ed960178b2ed6963f0050603526285232a95581f8730837ff880802a7fb51d9017ce20b21a8ea1cef65de952772161fa3002867b14617550ec325b7425af

Download Submit
\Windows\SysWOW64\wbem\cimmentsa.dll

Filesize
37.8MB

MD5
2505322bdc1b43ea2299636bde55acd6

SHA1
2462967be8b632bf45a989462b15488a1d47f1fe

SHA256
2c4b6a33607dca01e4f49c90a3e7c4853bd6a2504b71f7e421aabcd0ebb0e5ba

SHA512
00b1ed960178b2ed6963f0050603526285232a95581f8730837ff880802a7fb51d9017ce20b21a8ea1cef65de952772161fa3002867b14617550ec325b7425af

Download Submit
\Windows\SysWOW64\wbem\cimmentsa.dll

Filesize
37.8MB

MD5
2505322bdc1b43ea2299636bde55acd6

SHA1
2462967be8b632bf45a989462b15488a1d47f1fe

SHA256
2c4b6a33607dca01e4f49c90a3e7c4853bd6a2504b71f7e421aabcd0ebb0e5ba

SHA512
00b1ed960178b2ed6963f0050603526285232a95581f8730837ff880802a7fb51d9017ce20b21a8ea1cef65de952772161fa3002867b14617550ec325b7425af

Download Submit
memory/112-74-0x0000000000000000-mapping.dmp

Download
memory/296-79-0x0000000000000000-mapping.dmp

Download
memory/616-62-0x0000000000000000-mapping.dmp

Download
memory/624-82-0x0000000000000000-mapping.dmp

Download
memory/676-75-0x0000000000000000-mapping.dmp

Download
memory/792-61-0x0000000000000000-mapping.dmp

Download
memory/812-78-0x0000000000000000-mapping.dmp

Download
memory/944-70-0x0000000000000000-mapping.dmp

Download
memory/964-69-0x0000000000000000-mapping.dmp

Download
memory/1076-73-0x0000000000000000-mapping.dmp

Download
memory/1092-86-0x0000000000000000-mapping.dmp

Download
memory/1108-64-0x0000000000000000-mapping.dmp

Download
memory/1136-68-0x0000000000000000-mapping.dmp

Download
memory/1152-90-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1164-77-0x0000000000000000-mapping.dmp

Download
memory/1192-85-0x0000000000000000-mapping.dmp

Download
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1248-56-0x0000000000000000-mapping.dmp

Download
memory/1336-55-0x0000000000000000-mapping.dmp

Download
memory/1400-63-0x0000000000000000-mapping.dmp

Download
memory/1492-59-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1608-83-0x0000000000000000-mapping.dmp

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1664-65-0x0000000000000000-mapping.dmp

Download
memory/1728-72-0x0000000000000000-mapping.dmp

Download
memory/1780-66-0x0000000000000000-mapping.dmp

Download
memory/1788-67-0x0000000000000000-mapping.dmp

Download
memory/1792-80-0x0000000000000000-mapping.dmp

Download
memory/1860-76-0x0000000000000000-mapping.dmp

Download
memory/1900-84-0x0000000000000000-mapping.dmp

Download
memory/1980-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads