ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b

General

Target

ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
Size

176KB
MD5

018c93e6b6d1c1d96800a543e269af01
SHA1

c9ef453f9af3e2fc8c5bb1f81d524ea5eae337c6
SHA256

ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b
SHA512

34423fa4d97cda30b3a80e02085ef9036baf7b679e6e94e54d6dcff9b140be36f15bc433285a5c73e8538a76174aac8b2342ae0b4eb14d7d0f915f7c9101ae22
SSDEEP

1536:8haN2fh0+TTQInoWGJcJJleqt1+Wgx3lFnHmleHSWgLAyXnnLm+AnqqLDTa26:2++TFnoWTTYBB1hHgN1Anq86

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\36312 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccfykxsu.scr"	msiexec.exe

Blocklisted process makes network request 37 IoCs

Processes:

msiexec.exe

flow	pid	process
9	424	msiexec.exe
10	424	msiexec.exe
11	424	msiexec.exe
12	424	msiexec.exe
13	424	msiexec.exe
14	424	msiexec.exe
15	424	msiexec.exe
16	424	msiexec.exe
17	424	msiexec.exe
18	424	msiexec.exe
19	424	msiexec.exe
20	424	msiexec.exe
21	424	msiexec.exe
53	424	msiexec.exe
54	424	msiexec.exe
55	424	msiexec.exe
56	424	msiexec.exe
57	424	msiexec.exe
58	424	msiexec.exe
59	424	msiexec.exe
60	424	msiexec.exe
61	424	msiexec.exe
62	424	msiexec.exe
63	424	msiexec.exe
64	424	msiexec.exe
67	424	msiexec.exe
68	424	msiexec.exe
69	424	msiexec.exe
70	424	msiexec.exe
71	424	msiexec.exe
72	424	msiexec.exe
73	424	msiexec.exe
74	424	msiexec.exe
75	424	msiexec.exe
76	424	msiexec.exe
77	424	msiexec.exe
78	424	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe

description	pid	process	target process
PID 3840 set thread context of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\ccfykxsu.scr msiexec.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccfykxsu.scr	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe

pid	process
856	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
856	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exeed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe

description	pid	process	target process
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 3840 wrote to memory of 856	3840	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
PID 856 wrote to memory of 424	856	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	msiexec.exe
PID 856 wrote to memory of 424	856	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	msiexec.exe
PID 856 wrote to memory of 424	856	ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
"C:\Users\Admin\AppData\Local\Temp\ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe
"C:\Users\Admin\AppData\Local\Temp\ed8699ecdab7a4a0b2d862400433f431dc5085065971fd60297ce7b509af932b.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\syswow64\msiexec.exe
3⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-136-0x0000000000000000-mapping.dmp

Download
memory/424-137-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/424-138-0x0000000000970000-0x0000000000975000-memory.dmp

Filesize
20KB

Download
memory/424-139-0x0000000000970000-0x0000000000975000-memory.dmp

Filesize
20KB

Download
memory/856-132-0x0000000000000000-mapping.dmp

Download
memory/856-133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/856-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads