3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540

General

Target

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
Size

586KB
MD5

856401f79397ae093d5fd7795007d900
SHA1

c03525fe8d9222fcdc7a6efba2063b671c95b690
SHA256

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540
SHA512

d4d9dd5d6d650c2e42d4da859b3a93fe830faf31217a830df90a75e63c3cc243a62bc3cf0f0d847c260f386afe36cd4ff044121d1a8982bf80005e7e98abadd2
SSDEEP

12288:NdmNDwtZF4951xlMfa780coTAHp9/VjbyOogKN1:NwNDwKflMS8VoWp9djed

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	pid	process	target process
PID 1480 set thread context of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 set thread context of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

pid	process
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description pid process

Token: SeDebugPrivilege 1480 3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

description	pid	process
Token: SeDebugPrivilege	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:304

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
3⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
"C:\Users\Admin\AppData\Local\Temp\3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe"
2⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe
Filesize
586KB

MD5
856401f79397ae093d5fd7795007d900

SHA1
c03525fe8d9222fcdc7a6efba2063b671c95b690

SHA256
3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540

SHA512
d4d9dd5d6d650c2e42d4da859b3a93fe830faf31217a830df90a75e63c3cc243a62bc3cf0f0d847c260f386afe36cd4ff044121d1a8982bf80005e7e98abadd2

Download Submit
memory/304-55-0x0000000000000000-mapping.dmp

Download
memory/920-86-0x0000000000000000-mapping.dmp

Download
memory/1480-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1480-58-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1480-87-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download
memory/2012-78-0x000000000043B58E-mapping.dmp

Download
memory/2012-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-90-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-85-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2012-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-74-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2012-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-64-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-62-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-73-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-69-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-84-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-66-0x000000000044C2BE-mapping.dmp

Download
memory/2036-60-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-59-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-89-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-65-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

description	pid	process	target process
PID 1480 wrote to memory of 304	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 304	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 304	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 304	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 1952	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 1952	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 1952	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 1952	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	CMD.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2036	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 1480 wrote to memory of 2012	1480	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe
PID 2036 wrote to memory of 920	2036	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2036 wrote to memory of 920	2036	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2036 wrote to memory of 920	2036	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe
PID 2036 wrote to memory of 920	2036	3a78a6628941523d37bbad5ab0247b537636635a5be16aa680a550971918a540.exe	dw20.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads