17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff

General

Target

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
Size

108KB
MD5

da5a8845b4acd35c05c1ae46b007a79e
SHA1

feebd3b0aa5dcf83b7bd060b71b004b82206322c
SHA256

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff
SHA512

462397d41f17305bf7b2aacaf7d9aaae0b2fc6c7c3c40e66e19c3b6a2d1d0d6f9c54f8a12e8b018548fa94a01cab76c4acb5f7dc1d9d69e6c442d730201a0e8f
SSDEEP

3072:TD+qrKarOANYdtK8lyXEQ2ylf75+VPgt:TCcSla80X/jlN+VP

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DmEnrollmentSvc\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Appinfo\Parameters\ServiceDll = "C:\\Windows\\system32\\wbem\\cimmapp.dll"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

pid process

3212 17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
Drops file in System32 directory 1 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

description ioc process

File created C:\Windows\SysWOW64\wbem\cimmapp.dll 17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

pid	process
3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wbem\cimmapp.dll	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe

description	pid	process	target process
PID 3212 wrote to memory of 744	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 744	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 744	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4168	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4168	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4168	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4768	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4768	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4768	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4840	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4840	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 4840	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2836	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2836	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2836	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 1676	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 1676	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 1676	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2700	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2700	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe
PID 3212 wrote to memory of 2700	3212	17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe
"C:\Users\Admin\AppData\Local\Temp\17b82874967e1b3bc9989f09a266ce0ccf47ddf4fa30d5da90e63cf8afe1ebff.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:744

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appmgmts.dll" /f
2⤵
PID:4168

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\Appinfo\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:4768

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppinfoParameters" /v ServiceDll /t REG_EXPAND_SZ /d "%SystemRoot%\System32\appinfo.dll" /f
2⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmt\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:2836

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\AppMgmtParameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\DmEnrollmentSvc\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\wbem\cimmapp.dll" /f
2⤵
- Sets DLL path for service in the registry
PID:2700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wbem\cimmapp.dll

Filesize
47.6MB

MD5
8f4ae2699daf57847e14d38d0699554d

SHA1
d2052561b1fd796b131e36586cc7abff3dce721e

SHA256
9c40770a23c5e0369d26e8728aac7846aaa51c9cf7548d196583ca9af53fb9fc

SHA512
e304e15c9fe5f65558a31f3c5e8b9039079c2204e52b8339f3c63e5a410582cbed6f1c3cf360f88f85ad53707d1022269ae03375856877f42ad5f70501badd9d

Download Submit
memory/744-133-0x0000000000000000-mapping.dmp

Download
memory/1676-138-0x0000000000000000-mapping.dmp

Download
memory/2700-139-0x0000000000000000-mapping.dmp

Download
memory/2836-137-0x0000000000000000-mapping.dmp

Download
memory/4168-134-0x0000000000000000-mapping.dmp

Download
memory/4768-135-0x0000000000000000-mapping.dmp

Download
memory/4840-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing