2ebd18eb390902b65e9c11dfcd4e9212fab39689eff6284fb01eaf436a1e6c92

General

Target

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Size

176KB
MD5

26599a5d851894bac450a5529f779960
SHA1

86ad307147dcc84a84433c6728444f8f36e7a1e8
SHA256

5375bce7f7d28f834652064ba8c6f41864f3e1fef385aa093a14cf00165976de
SHA512

87a354060184dc12c9ee156e863cf62ebb95bb3557c75851c987cf3889f7445ccf2e1c9b93ceb6a1bc74ae5fcf03d60b3a8b93cf112f1586a5a033b1a4b6199b
SSDEEP

3072:K1tv0jMkCL5x8KxMFS/71d0u6O6DZxwWpPcrKxCtxQ/LgM8rPp0j0:KTCEXz/7D0u6RlxRPk8P8r+I

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1136	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\uhbkhryw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\uhbkhryw.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
1248	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Token: SeDebugPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1136	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	28
PID 1188 wrote to memory of 1136	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	28
PID 1188 wrote to memory of 1136	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	28
PID 1188 wrote to memory of 1136	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	28
PID 1188 wrote to memory of 1248	1188	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	18
PID 1248 wrote to memory of 1116	1248	Explorer.EXE	11
PID 1248 wrote to memory of 1204	1248	Explorer.EXE	19
PID 1248 wrote to memory of 1188	1248	Explorer.EXE	27
PID 1248 wrote to memory of 1136	1248	Explorer.EXE	28
PID 1248 wrote to memory of 1136	1248	Explorer.EXE	28
PID 1248 wrote to memory of 2012	1248	Explorer.EXE	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
  "C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS4763~1.BAT"
    3⤵
    - Deletes itself
    PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "803480712-329044235-116425113011546383204367718301639398148-19664978-2081135268"
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms4763869.bat

Filesize
201B

MD5
e4930b9a97c11a0db56edfb71638e84b

SHA1
d88c4f66c27d5820bae884116da617aab1c77939

SHA256
30b072772b2ecf557a907abcd7650faaaf953ea68e4d261e37937b514985fd99

SHA512
ae7d7d5bb3ff9f13780f339ede6b90066dbd98bd0b570ff8c0956c8248a28367b0416c5babdcbaa37107c1c1e587b70d25c1ef7bb87152798779d98b41e9b7cb

Download Submit
memory/1116-79-0x0000000001DB0000-0x0000000001DC7000-memory.dmp

Filesize
92KB

Download
memory/1116-63-0x0000000037700000-0x0000000037710000-memory.dmp

Filesize
64KB

Download
memory/1188-76-0x0000000000C70000-0x0000000000CA4000-memory.dmp

Filesize
208KB

Download
memory/1188-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1188-64-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1188-75-0x00000000001F0000-0x00000000001FD000-memory.dmp

Filesize
52KB

Download
memory/1204-67-0x0000000037700000-0x0000000037710000-memory.dmp

Filesize
64KB

Download
memory/1204-80-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1248-58-0x0000000037700000-0x0000000037710000-memory.dmp

Filesize
64KB

Download
memory/1248-78-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1248-56-0x0000000002A60000-0x0000000002A77000-memory.dmp

Filesize
92KB

Download
memory/1248-81-0x000007FEF6A20000-0x000007FEF6B63000-memory.dmp

Filesize
1.3MB

Download
memory/1248-82-0x000007FF261F0000-0x000007FF261FA000-memory.dmp

Filesize
40KB

Download
memory/2012-73-0x0000000037700000-0x0000000037710000-memory.dmp

Filesize
64KB

Download
memory/2012-77-0x00000000000A0000-0x00000000000B7000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing