df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd

General

Target

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
Size

119KB
MD5

0206d396524ffaa64103151c820ddea6
SHA1

9ba5346a908713f15740370d5e82b393aad54fed
SHA256

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd
SHA512

ffc2c5c0fab6ef6cb5efecf0d22831aabf9e0d86fd1b02b0451e7e5e3fde6017fd17fb0a74b42382e4d8dad8221d30e2bd7847def7a87c9db26daf1ea5beadf0
SSDEEP

3072:dwrhOUULAgG01X1cRxMdiQfngFz9PRtyWXQBaNWjJA:dwrhOZo01aWfmhLX4jG

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msiexec.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msiexec.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1843965168 = "C:\\PROGRA~3\\mshcsrkf.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1843965168 = "C:\\PROGRA~3\\mshcsrkf.exe"	msiexec.exe

Blocklisted process makes network request 16 IoCs

Processes:

msiexec.exemsiexec.exe

flow	pid	process
2	1764	msiexec.exe
3	636	msiexec.exe
4	1764	msiexec.exe
5	636	msiexec.exe
6	636	msiexec.exe
7	1764	msiexec.exe
9	636	msiexec.exe
11	1764	msiexec.exe
12	636	msiexec.exe
13	636	msiexec.exe
14	636	msiexec.exe
15	636	msiexec.exe
16	1764	msiexec.exe
17	1764	msiexec.exe
18	1764	msiexec.exe
19	1764	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Suspicious use of SetThreadContext 1 IoCs

Processes:

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe

description	pid	process	target process
PID 1472 set thread context of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exemsiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\mshcsrkf.exe msiexec.exe
File opened for modification C:\PROGRA~3\mshcsrkf.exe msiexec.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exemsiexec.exemsiexec.exe

pid process

320 df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
1764 msiexec.exe
636 msiexec.exe
1764 msiexec.exe
636 msiexec.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\mshcsrkf.exe	msiexec.exe
File opened for modification	C:\PROGRA~3\mshcsrkf.exe	msiexec.exe

Suspicious behavior: MapViewOfSection 51 IoCs

Processes:

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exemsiexec.exemsiexec.exe

pid	process
320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
636	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe
1764	msiexec.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

1764 msiexec.exe
636 msiexec.exe

pid	process
1764	msiexec.exe
636	msiexec.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
Token: SeBackupPrivilege	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
Token: SeRestorePrivilege	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
Token: SeDebugPrivilege	1764	msiexec.exe
Token: SeBackupPrivilege	1764	msiexec.exe
Token: SeRestorePrivilege	1764	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exedf0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe

description	pid	process	target process
PID 1472 wrote to memory of 268	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 268	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 268	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 268	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 1472 wrote to memory of 320	1472	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 636	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe
PID 320 wrote to memory of 1764	320	df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
"C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
  "C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe
  "C:\Users\Admin\AppData\Local\Temp\df0a4e83cbab7d9056a55e8d4e3669a7f2035a0ff1b8b2720cb7840191ece5cd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-65-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/320-64-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/320-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/320-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/320-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/320-60-0x00000000002D8EFE-mapping.dmp

Download
memory/636-63-0x0000000000000000-mapping.dmp

Download
memory/636-69-0x0000000000B30000-0x0000000000B44000-memory.dmp

Filesize
80KB

Download
memory/636-71-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/1472-55-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-61-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1764-67-0x0000000000000000-mapping.dmp

Download
memory/1764-70-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads