17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff

General

Target

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
Size

108KB
MD5

da5a8845b4acd35c05c1ae46b007a79e
SHA1

feebd3b0aa5dcf83b7bd060b71b004b82206322c
SHA256

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff
SHA512

462397d41f17305bf7b2aacaf7d9aaae0b2fc6c7c3c40e66e19c3b6a2d1d0d6f9c54f8a12e8b018548fa94a01cab76c4acb5f7dc1d9d69e6c442d730201a0e8f
SSDEEP

3072:TD+qrKarOANYdtK8lyXEQ2ylf75+VPgt:TCcSla80X/jlN+VP

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\KtmRm\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasMan\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TapiSrv\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wecsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\seclogon\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RasAuto\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Appinfo\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IKEEXT\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\iphlpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SessionEnv\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe

Loads dropped DLL 2 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exesvchost.exe

pid process

1044 17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
1732 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

description ioc process

File created C:\Windows\SysWOW64\wbem\cimmapp.dll 17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

pid	process
1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
1732	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wbem\cimmapp.dll	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

Drops file in Windows directory 13 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_086C1148ADB607AF8D60AED2BA0159A3	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_086C1148ADB607AF8D60AED2BA0159A3	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F804C3-6D10-431D-B2B5-224412D7FA27}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F804C3-6D10-431D-B2B5-224412D7FA27}\WpadNetworkName = "Network 2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F804C3-6D10-431D-B2B5-224412D7FA27}\WpadDecisionTime = 902049f3b900d901	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F804C3-6D10-431D-B2B5-224412D7FA27}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21F804C3-6D10-431D-B2B5-224412D7FA27}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-d8-6c-5b-31-86\WpadDecisionTime = 902049f3b900d901	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-d8-6c-5b-31-86	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-d8-6c-5b-31-86\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

description	pid	process	target process
PID 1044 wrote to memory of 684	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 684	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 684	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 684	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1444	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1444	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1444	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1444	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1232	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1232	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1232	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1232	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 2032	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 2032	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 2032	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 2032	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 908	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 908	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 908	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 908	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 280	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 280	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 280	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 280	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 468	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 468	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 468	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 468	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1012	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1012	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1012	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1012	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 900	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 900	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 900	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 900	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1260	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1260	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1260	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1260	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1624	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1624	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1624	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1624	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1960	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1960	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1960	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1960	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1616	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1616	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1616	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1616	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 828	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 828	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 828	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 828	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1844	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1844	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1844	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1844	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1524	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1524	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1524	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 1044 wrote to memory of 1524	1044	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
"C:\Users\Admin\AppData\Local\Temp\17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:684

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appmgmts.dll" /f
2⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Appinfo\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1232

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppinfoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appinfo.dll" /f
2⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:908

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
PID:280

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\IKEEXT\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:468

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\IKEEXTParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ikeext.dll" /f
2⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:900

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\iphlpsvcParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\iphlpsvc.dll" /f
2⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\KtmRm\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1624

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\KtmRmParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\msdtckrm.dll" /f
2⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\MSiSCSI\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1616

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\MSiSCSIParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\iscsiexe.dll" /f
2⤵
PID:828

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\PolicyAgent\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1844

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\PolicyAgentParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ipsecsvc.dll" /f
2⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasAuto\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1060

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasAutoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\rasauto.dll" /f
2⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasMan\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1580

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RasManParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\rasmans.dll" /f
2⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RemoteAccess\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1032

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\RemoteAccessParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\mprdim.dll" /f
2⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\seclogon\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1840

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\seclogonParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%windir%\system32\seclogon.dll" /f
2⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SessionEnv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1340

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SessionEnvParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\system32\sessenv.dll" /f
2⤵
PID:876

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1408

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccessParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\ipnathlp.dll" /f
2⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TapiSrv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1468

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TapiSrvParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\tapisrv.dll" /f
2⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TermService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1936

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\TermServiceParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\termsrv.dll" /f
2⤵
PID:108

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Wecsvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:1436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k NetworkServiceAndNoImpersonation
1⤵
PID:1956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k NetworkService
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\wbem\cimmapp.dll

Filesize
46.0MB

MD5
a38fc484ccd7fd88a5b50ebbc1d256c7

SHA1
0d78d3ce7c95d734b26973e47c96db2177480223

SHA256
957ea818b4798544d89f213213b7651d95dd33b5f5d66b12ba90eec73e92e80a

SHA512
7b1134aae205678032484c987fc8e7c7b442cf14e342938740d0acef74c3a1dab88773510950094752b576b035dc77ef334c6ac9c5edd2c88f1bf50b44c55a0e

Download Submit
\Windows\SysWOW64\wbem\cimmapp.dll

Filesize
46.0MB

MD5
a38fc484ccd7fd88a5b50ebbc1d256c7

SHA1
0d78d3ce7c95d734b26973e47c96db2177480223

SHA256
957ea818b4798544d89f213213b7651d95dd33b5f5d66b12ba90eec73e92e80a

SHA512
7b1134aae205678032484c987fc8e7c7b442cf14e342938740d0acef74c3a1dab88773510950094752b576b035dc77ef334c6ac9c5edd2c88f1bf50b44c55a0e

Download Submit
\Windows\SysWOW64\wbem\cimmapp.dll

Filesize
46.0MB

MD5
a38fc484ccd7fd88a5b50ebbc1d256c7

SHA1
0d78d3ce7c95d734b26973e47c96db2177480223

SHA256
957ea818b4798544d89f213213b7651d95dd33b5f5d66b12ba90eec73e92e80a

SHA512
7b1134aae205678032484c987fc8e7c7b442cf14e342938740d0acef74c3a1dab88773510950094752b576b035dc77ef334c6ac9c5edd2c88f1bf50b44c55a0e

Download Submit
memory/108-86-0x0000000000000000-mapping.dmp

Download
memory/280-60-0x0000000000000000-mapping.dmp

Download
memory/468-61-0x0000000000000000-mapping.dmp

Download
memory/684-55-0x0000000000000000-mapping.dmp

Download
memory/828-68-0x0000000000000000-mapping.dmp

Download
memory/876-80-0x0000000000000000-mapping.dmp

Download
memory/900-63-0x0000000000000000-mapping.dmp

Download
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/1012-62-0x0000000000000000-mapping.dmp

Download
memory/1016-74-0x0000000000000000-mapping.dmp

Download
memory/1032-75-0x0000000000000000-mapping.dmp

Download
memory/1056-72-0x0000000000000000-mapping.dmp

Download
memory/1060-71-0x0000000000000000-mapping.dmp

Download
memory/1232-57-0x0000000000000000-mapping.dmp

Download
memory/1260-64-0x0000000000000000-mapping.dmp

Download
memory/1340-79-0x0000000000000000-mapping.dmp

Download
memory/1408-81-0x0000000000000000-mapping.dmp

Download
memory/1436-87-0x0000000000000000-mapping.dmp

Download
memory/1444-56-0x0000000000000000-mapping.dmp

Download
memory/1468-83-0x0000000000000000-mapping.dmp

Download
memory/1504-82-0x0000000000000000-mapping.dmp

Download
memory/1524-70-0x0000000000000000-mapping.dmp

Download
memory/1572-84-0x0000000000000000-mapping.dmp

Download
memory/1580-73-0x0000000000000000-mapping.dmp

Download
memory/1616-67-0x0000000000000000-mapping.dmp

Download
memory/1624-65-0x0000000000000000-mapping.dmp

Download
memory/1640-76-0x0000000000000000-mapping.dmp

Download
memory/1732-90-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1840-77-0x0000000000000000-mapping.dmp

Download
memory/1844-69-0x0000000000000000-mapping.dmp

Download
memory/1936-85-0x0000000000000000-mapping.dmp

Download
memory/1960-66-0x0000000000000000-mapping.dmp

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download
memory/2036-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads