ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d

General

Target

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Size

74KB
MD5

0335bf2b061afacdf66c00dd51ee7da4
SHA1

1c44a285667df5b68f60b02b20f489f78f3180c0
SHA256

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d
SHA512

7a7c415c29fe12298ecb55adbfc6f0974f3c366276ebd1898c9ae1260700b0806ea97bd4e06c277852d648a78e4f587c5304ecd26a73e085275ee16e74c845eb
SSDEEP

1536:BV+rXj8M7RrQR51HCHmnKlX16N625h2YuDEm1lSa47fM76jaKLM8Ai2p:Y8EE5iHmnKlX1M625h1uDxUa47fM76BQ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

Drops file in System32 directory 3 IoCs

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Serverx.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
File opened for modification	C:\WINDOWS\SysWOW64\SERVERX.EXE	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

pid process

1532 ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

pid	process
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exeba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

description	pid	process
Token: SeDebugPrivilege	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeTakeOwnershipPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeRestorePrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeBackupPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeChangeNotifyPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeTakeOwnershipPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeRestorePrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeBackupPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
Token: SeChangeNotifyPrivilege	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exeba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe

description	pid	process	target process
PID 1428 wrote to memory of 1532	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
PID 1428 wrote to memory of 1532	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
PID 1428 wrote to memory of 1532	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
PID 1428 wrote to memory of 1532	1428	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
PID 1532 wrote to memory of 368	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	wininit.exe
PID 1532 wrote to memory of 368	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	wininit.exe
PID 1532 wrote to memory of 368	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	wininit.exe
PID 1532 wrote to memory of 368	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	wininit.exe
PID 1532 wrote to memory of 368	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	wininit.exe
PID 1532 wrote to memory of 380	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	csrss.exe
PID 1532 wrote to memory of 380	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	csrss.exe
PID 1532 wrote to memory of 380	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	csrss.exe
PID 1532 wrote to memory of 380	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	csrss.exe
PID 1532 wrote to memory of 380	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	csrss.exe
PID 1532 wrote to memory of 416	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	winlogon.exe
PID 1532 wrote to memory of 416	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	winlogon.exe
PID 1532 wrote to memory of 416	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	winlogon.exe
PID 1532 wrote to memory of 416	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	winlogon.exe
PID 1532 wrote to memory of 416	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	winlogon.exe
PID 1532 wrote to memory of 460	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	services.exe
PID 1532 wrote to memory of 460	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	services.exe
PID 1532 wrote to memory of 460	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	services.exe
PID 1532 wrote to memory of 460	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	services.exe
PID 1532 wrote to memory of 460	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	services.exe
PID 1532 wrote to memory of 476	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsass.exe
PID 1532 wrote to memory of 476	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsass.exe
PID 1532 wrote to memory of 476	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsass.exe
PID 1532 wrote to memory of 476	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsass.exe
PID 1532 wrote to memory of 476	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsass.exe
PID 1532 wrote to memory of 484	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsm.exe
PID 1532 wrote to memory of 484	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsm.exe
PID 1532 wrote to memory of 484	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsm.exe
PID 1532 wrote to memory of 484	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsm.exe
PID 1532 wrote to memory of 484	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	lsm.exe
PID 1532 wrote to memory of 596	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 596	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 596	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 596	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 596	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 676	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 676	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 676	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 676	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 676	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 760	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 760	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 760	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 760	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 760	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 804	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 804	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 804	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 804	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 804	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 844	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 844	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 844	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 844	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 844	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 880	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 880	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 880	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 880	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe
PID 1532 wrote to memory of 880	1532	ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe	svchost.exe

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
"C:\Users\Admin\AppData\Local\Temp\ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe
"C:\Users\Admin\AppData\Local\Temp\ba61b5b4203f910aa1cdd95709e898896e1cebd12bd36422d8da0111196c826d.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1832

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1968

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1076

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-61-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1428-54-0x0000000074C41000-0x0000000074C43000-memory.dmp

Filesize
8KB

Download
memory/1428-58-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/1428-59-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/1428-60-0x000000007EFA0000-0x000000007EFA8000-memory.dmp

Filesize
32KB

Download
memory/1428-63-0x000000007EFA0000-0x000000007EFA8000-memory.dmp

Filesize
32KB

Download
memory/1428-64-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download
memory/1428-65-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/1532-55-0x0000000000000000-mapping.dmp

Download
memory/1532-57-0x0000000001000000-0x000000000101A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads