16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426

General

Target

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Size

282KB
MD5

572540a337ad063e789274532cbe9132
SHA1

1f36c5c0ce67f9fe9dd1cd716ab4e6058734955d
SHA256

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426
SHA512

24810cc3a63153a5839c2d7e1de4b9f9d51a8f19363482f8a716d34c5f6e21e11a54abf6e17935c0a06d92e82afc07a053c52416052f09fd5e5745fcf8d9abfa
SSDEEP

6144:62DRZVcMcpBrucMhrndQqAgKnef8AnA3n/LbFP1Z3s9B7txu8udmSr/:6cguRT1gRN1tsPBHSr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

928 cmd.exe

pid	process
928	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypbkryye.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ypbkryye.exe\""	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXE

pid	process
1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
Token: SeDebugPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exeExplorer.EXE

description	pid	process	target process
PID 1940 wrote to memory of 928	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 1940 wrote to memory of 928	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 1940 wrote to memory of 928	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 1940 wrote to memory of 928	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	cmd.exe
PID 1940 wrote to memory of 1284	1940	16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe	Explorer.EXE
PID 1284 wrote to memory of 1160	1284	Explorer.EXE	taskhost.exe
PID 1284 wrote to memory of 1232	1284	Explorer.EXE	Dwm.exe
PID 1284 wrote to memory of 928	1284	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe
"C:\Users\Admin\AppData\Local\Temp\16dd30bc3187e0027b35c468a4838a4db135ac28aed4d0e4eb5aeaa0530e7426.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS3962~1.BAT"
3⤵
- Deletes itself
PID:928

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms3962763.bat

Filesize
201B

MD5
f13612a93bbb2898dbe59233810d13e8

SHA1
9823f4972c6323c83f4c84884ee142d98fb98dca

SHA256
27374ab3591b93567ff6dfd8b15a432dcae80e370d5690b5f8b379e9562ebe46

SHA512
729519ed49d956182fd71ee3aff04e22fcb4a69616d0777e1f4e1f1e89f83aeb98b026b2f342c96fe354b7152366f0225e4205f51a34e434151f5de0dbecb595

Download Submit
memory/928-57-0x0000000000000000-mapping.dmp

Download
memory/1160-66-0x0000000036D50000-0x0000000036D60000-memory.dmp

Filesize
64KB

Download
memory/1160-71-0x0000000000450000-0x0000000000467000-memory.dmp

Filesize
92KB

Download
memory/1232-70-0x0000000036D50000-0x0000000036D60000-memory.dmp

Filesize
64KB

Download
memory/1232-72-0x0000000001D40000-0x0000000001D57000-memory.dmp

Filesize
92KB

Download
memory/1284-58-0x0000000002950000-0x0000000002967000-memory.dmp

Filesize
92KB

Download
memory/1284-62-0x0000000036D50000-0x0000000036D60000-memory.dmp

Filesize
64KB

Download
memory/1284-73-0x0000000002950000-0x0000000002967000-memory.dmp

Filesize
92KB

Download
memory/1940-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1940-60-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1940-61-0x0000000000960000-0x00000000009AD000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads