c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387

General

Target

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
Size

108KB
MD5

1d380684c8c460ed76bc5e8f0bdb4d06
SHA1

e5952a55b5572cae241e7d2d4322b8f88be9ab76
SHA256

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387
SHA512

cc6b974175c9dfab9a66acb2b2573468ec7a0d3aed75177af9d339ae352a46149e93278f57b11ed0b80d0962a0580691fdb6340ed2cdb5c28ec96a94c50ee08c
SSDEEP

3072:fNrjKaa7+reA3EdtIMqE1kWEYOIfjm64ZZQ7tF:fNr+ACbYM3TbTfAZZa

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Appinfo\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DmEnrollmentSvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmentsa.dll"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

pid process

1644 c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
Drops file in System32 directory 1 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

description ioc process

File created C:\Windows\SysWOW64\wbem\cimmentsa.dll c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

pid	process
1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wbem\cimmentsa.dll	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe

description	pid	process	target process
PID 1644 wrote to memory of 1964	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1964	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1964	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3324	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3324	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3324	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1468	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1468	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1468	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4092	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4092	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4092	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1848	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1848	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 1848	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4520	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4520	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 4520	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3724	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3724	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe
PID 1644 wrote to memory of 3724	1644	c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe
"C:\Users\Admin\AppData\Local\Temp\c87f6b1c5b5d426cdaadd06b982fb0e046d3b415aa842213de20adfa2e5f1387.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1964

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appmgmts.dll" /f
2⤵
PID:3324

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Appinfo\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1468

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppinfoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appinfo.dll" /f
2⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1848

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
PID:4520

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\DmEnrollmentSvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmentsa.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:3724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbem\cimmentsa.dll

Filesize
40.3MB

MD5
f764206d60157ed2310d0738af1c36df

SHA1
f43bb23a49992ee3331d66ffe97566a1f4b384bb

SHA256
07ed6da212fa0d328353178e25708bdc3f41775e0d9ce4cd13ea5785b7027bb5

SHA512
61f55efcff5b886baaa22caddc9ac88143f713c5be1f2bd69c481dfe5367af73b45bae4ecaf081f94169dee105fcb6377a81a81271627d28da2bf6c8fd1bac85

Download Submit
memory/1468-135-0x0000000000000000-mapping.dmp

Download
memory/1848-137-0x0000000000000000-mapping.dmp

Download
memory/1964-133-0x0000000000000000-mapping.dmp

Download
memory/3324-134-0x0000000000000000-mapping.dmp

Download
memory/3724-139-0x0000000000000000-mapping.dmp

Download
memory/4092-136-0x0000000000000000-mapping.dmp

Download
memory/4520-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing