5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f

General

Target

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe
Size

278KB
MD5

47cab2df770bfb3b5e4e741229d029fd
SHA1

7484bee01b8e41999c69e56aea0f5f9eda25279e
SHA256

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f
SHA512

51df63231c430c17e84dd40034e212182db17325fd49c391eef2f35c62344130f761138bdb4cb2d8ab4628a99158f03a1d77241d33accc98bd1c94be277501df
SSDEEP

6144:3bw0Oxjh1imhqrI4geQo6A7CQe+04FwKg2zM8bT7/:3fkhqR6Abr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1200 cmd.exe

pid	process
1200	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ianvmjrr.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ianvmjrr.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exeExplorer.EXE

pid	process
1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe
1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE

pid	process
1280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe
Token: SeDebugPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exeExplorer.EXE

description	pid	process	target process
PID 1764 wrote to memory of 1200	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe	cmd.exe
PID 1764 wrote to memory of 1200	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe	cmd.exe
PID 1764 wrote to memory of 1200	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe	cmd.exe
PID 1764 wrote to memory of 1200	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe	cmd.exe
PID 1764 wrote to memory of 1280	1764	5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe	Explorer.EXE
PID 1280 wrote to memory of 1124	1280	Explorer.EXE	taskhost.exe
PID 1280 wrote to memory of 1204	1280	Explorer.EXE	Dwm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe
"C:\Users\Admin\AppData\Local\Temp\5c8c2e8e87cd3cdf48883cc6e702b29e9db16e80972c7c4c8d7049d6a3475e2f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3907~1.BAT"
3⤵
- Deletes itself
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3907252.bat

Filesize
201B

MD5
20f2bbb6596d2e2346e8bca60f2774e0

SHA1
7dc5ea676aeb686a4e34c120a34159e72062d921

SHA256
a517f37393809585549f9ab6cadf353074d913176466f721c10cace3d360a4a3

SHA512
9c080a11e48340c66cd7c24f98abceb7b4ff5be97c829e298f3e2078522d8babdcd0ad7493ff27da184c769e3d1f027976ff9a6394ac540b72316a5c28d4a1b6

Download Submit
memory/1124-68-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1124-70-0x0000000000320000-0x0000000000337000-memory.dmp

Filesize
92KB

Download
memory/1200-57-0x0000000000000000-mapping.dmp

Download
memory/1204-69-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1204-71-0x00000000001A0000-0x00000000001B7000-memory.dmp

Filesize
92KB

Download
memory/1280-58-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1280-61-0x0000000036D90000-0x0000000036DA0000-memory.dmp

Filesize
64KB

Download
memory/1280-72-0x0000000001DA0000-0x0000000001DB7000-memory.dmp

Filesize
92KB

Download
memory/1764-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1764-60-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/1764-62-0x0000000000EB0000-0x0000000000EFE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads