f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0

General

Target

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Size

140KB
MD5

e25b989b80f9ec7344754fe47828f8d3
SHA1

134653a26c79ec48c2ccfa1c9bb855e4fdb1cd25
SHA256

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0
SHA512

ebd662b8dc895a15708c2af4148bef8baf9a971ee9a07cbe8a9195a8381955946825d2a5574c47ded991998c766f8c350f1057501266e77bf637b2bce41711e1
SSDEEP

1536:yOyiGUJJXGPteKPNA3aBn+ryflYTbHyHvbnMJ4LIfN+AzaNPPRu+RsA:yOOUnf6n+ryfuTbSP7MJ4mPzaZ/RsA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications\list\C:\Windows\SysWOW64\msiexec.exe = "C:\\Windows\\SysWOW64\\msiexec.exe:*:Generic Host Process"	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\standardprofile	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\authorizedapplications\list	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\44480 = "c:\\progra~3\\dxreqmse.exe"	msiexec.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

description	pid	process	target process
PID 4756 set thread context of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created \??\c:\progra~3\dxreqmse.exe msiexec.exe

description	ioc	process
File created	\??\c:\progra~3\dxreqmse.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exef3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

pid	process
4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

pid	process
3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

description	pid	process
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: 33	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
Token: SeIncBasePriorityPrivilege	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exef3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe

description	pid	process	target process
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 4756 wrote to memory of 3180	4756	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
PID 3180 wrote to memory of 3824	3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	msiexec.exe
PID 3180 wrote to memory of 3824	3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	msiexec.exe
PID 3180 wrote to memory of 3824	3180	f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
"C:\Users\Admin\AppData\Local\Temp\f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe
"C:\Users\Admin\AppData\Local\Temp\f3cc94edcd84798f7fe8299311afaa9f5801ea241183125aa74e17e6dbd698f0.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3180-133-0x0000000000000000-mapping.dmp

Download
memory/3180-134-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3180-136-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3180-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3824-138-0x0000000000000000-mapping.dmp

Download
memory/3824-139-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/3824-140-0x0000000000730000-0x0000000000737000-memory.dmp

Filesize
28KB

Download
memory/3824-141-0x000000007F400000-0x000000007F406000-memory.dmp

Filesize
24KB

Download
memory/3824-142-0x000000007F400000-0x000000007F406000-memory.dmp

Filesize
24KB

Download
memory/4756-132-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads