fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1

General

Target

fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe
Size

277KB
MD5

80225eb7520365640fcf49a28d3c22e2
SHA1

e96b3fc77ce5ec2907372c8b031b212a60e8e407
SHA256

fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1
SHA512

5253b391995a9a99e62ca58455cc229fc3b153f480cb7fd5463d82780207f67c1e080c710159b6e24edabf949fb05a87307af0474b869501760cec99c29208dc
SSDEEP

6144:WQtMFE/skcyhpl/Xd6GkFtXg1yXlIr9qSUXP/wbXl:WQmIvUK1G+iHwbX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe

pid	process
1348	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exeExplorer.EXE

pid	process
1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe
1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE

pid	process
1264	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe
Token: SeDebugPrivilege	1264	Explorer.EXE
Token: SeShutdownPrivilege	1264	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exeExplorer.EXE

description	pid	process	target process
PID 1416 wrote to memory of 1348	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe	cmd.exe
PID 1416 wrote to memory of 1348	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe	cmd.exe
PID 1416 wrote to memory of 1348	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe	cmd.exe
PID 1416 wrote to memory of 1348	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe	cmd.exe
PID 1416 wrote to memory of 1264	1416	fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe	Explorer.EXE
PID 1264 wrote to memory of 1120	1264	Explorer.EXE	taskhost.exe
PID 1264 wrote to memory of 1184	1264	Explorer.EXE	Dwm.exe
PID 1264 wrote to memory of 1348	1264	Explorer.EXE	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe
"C:\Users\Admin\AppData\Local\Temp\fbfebbd124ffd93ccfaa2e0d1fcb7fba04a3fe737a5b46b8d09c942267d78bf1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\ms67357.bat"
3⤵
- Deletes itself
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms67357.bat
Filesize
200B

MD5
2f42fc7f008020e4852bfbd841a00afe

SHA1
75f3c76000b54ba377417acd096dd3ea19c73270

SHA256
e997e71418ea2f190ae96caf3d316649241aaacd5d77d6d3914945982bae8fd2

SHA512
e022796835ed441cb914934fcabf1a355a4d48948ff1cf83d9a5faa7925b633acc5ece8dca0aabb9279e9cdd97e804edf2658533961b99b1967b5a26e9d07161

Download Submit
memory/1120-70-0x0000000001B40000-0x0000000001B57000-memory.dmp

Filesize
92KB

Download
memory/1120-67-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1184-68-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1184-71-0x0000000000130000-0x0000000000147000-memory.dmp

Filesize
92KB

Download
memory/1264-56-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1264-73-0x000007FE7F020000-0x000007FE7F02A000-memory.dmp

Filesize
40KB

Download
memory/1264-59-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/1264-72-0x000007FEF61E0000-0x000007FEF6323000-memory.dmp

Filesize
1.3MB

Download
memory/1264-69-0x0000000002150000-0x0000000002167000-memory.dmp

Filesize
92KB

Download
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1416-58-0x0000000000150000-0x000000000015D000-memory.dmp

Filesize
52KB

Download
memory/1416-60-0x0000000000160000-0x00000000001A8000-memory.dmp

Filesize
288KB

Download
memory/1416-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads