0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33

General

Target

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Size

172KB
MD5

3ada1995cb02ba07cef2945787a57faf
SHA1

30400c428672eb2a59d4918d3baae1222fe42f8d
SHA256

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33
SHA512

61e4529df5e70bdf1bc18c81958a71173d99bb21a42c72c262aa2f9a31eeef3fc3206b5e983f7c7c22cabe7c8dd0ff35646ca4e5d1af98b2d3d035d288415395
SSDEEP

3072:4ac9gOdj02MUt7V3oyttXcg4neXgHwcZ+hHiIkJ:4b9Zy2eyM5ewHw2+h

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

580 cmd.exe

pid	process
580	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

description	pid	process	target process
PID 1320 set thread context of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

Modifies registry class 14 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0DCED7~1.EXE /p \"%1\""	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0DCED7~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0DCED7~1.EXE,0"	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0DCED7~1.EXE \"%1\""	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\print\command	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\printto	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\ = "Tif Document"	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\DefaultIcon	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Tif.Document\shell\open	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exeExplorer.EXE

pid	process
1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE

pid	process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
Token: SeDebugPrivilege	1232	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

pid	process
1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE

pid	process
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exeExplorer.EXE

description	pid	process	target process
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1320 wrote to memory of 944	1320	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 944 wrote to memory of 580	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	cmd.exe
PID 944 wrote to memory of 580	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	cmd.exe
PID 944 wrote to memory of 580	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	cmd.exe
PID 944 wrote to memory of 580	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	cmd.exe
PID 944 wrote to memory of 1232	944	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe	Explorer.EXE
PID 1232 wrote to memory of 1124	1232	Explorer.EXE	taskhost.exe
PID 1232 wrote to memory of 1124	1232	Explorer.EXE	taskhost.exe
PID 1232 wrote to memory of 1172	1232	Explorer.EXE	Dwm.exe
PID 1232 wrote to memory of 1172	1232	Explorer.EXE	Dwm.exe
PID 1232 wrote to memory of 944	1232	Explorer.EXE	0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
PID 1232 wrote to memory of 580	1232	Explorer.EXE	cmd.exe
PID 1232 wrote to memory of 668	1232	Explorer.EXE	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
"C:\Users\Admin\AppData\Local\Temp\0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
C:\Users\Admin\AppData\Local\Temp\0dced79cf4907bf2e71caeebc12da6154cc08b4eacd68b62bbf902d4863b8a33.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS5967~1.BAT"
4⤵
- Deletes itself
PID:580

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-222919920-996351621-1275689780-19780765391532568160-11776637041275694713-790337471"
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms5967899.bat

Filesize
201B

MD5
dfe5ab1ba5d8eb8038dbfec90651cbf6

SHA1
fafbfefac3aa428dd87412d2de4e1779a6099c25

SHA256
324a063af3e5c42d69bf89b2f72525a2ca8a129c3d9eee9847d386fcc3d7dc4f

SHA512
019aa3279fc7036bc46905fb123be5b061cf0a06941b0109c748bb644a1ef7516c5886315260a23980370b9b087d84ef0cd4493380d379fd28299538a6001626

Download Submit
memory/580-71-0x0000000000000000-mapping.dmp

Download
memory/668-93-0x0000000000160000-0x0000000000177000-memory.dmp

Filesize
92KB

Download
memory/944-64-0x00000000004010C0-mapping.dmp

Download
memory/944-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-84-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1124-92-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1124-98-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/1124-99-0x0000000001E60000-0x0000000001E77000-memory.dmp

Filesize
92KB

Download
memory/1172-91-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1172-95-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1172-97-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1172-100-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/1232-75-0x0000000037C40000-0x0000000037C50000-memory.dmp

Filesize
64KB

Download
memory/1232-96-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/1232-72-0x0000000001DC0000-0x0000000001DD7000-memory.dmp

Filesize
92KB

Download
memory/1232-101-0x000007FEF6800000-0x000007FEF6943000-memory.dmp

Filesize
1.3MB

Download
memory/1232-102-0x000007FE92A10000-0x000007FE92A1A000-memory.dmp

Filesize
40KB

Download
memory/1320-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1320-65-0x0000000000350000-0x0000000000354000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads