adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1

General

Target

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
Size

100KB
MD5

83cc0ee62f09a8f63ceea648bb4e70b4
SHA1

d441c6dbfd664f35b48c927f99e1f359acb78c46
SHA256

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1
SHA512

e14aaf68aaf11a664afeb4e82f792be3a135684ebd72c6a2e1faa99097859aa083c0a445d6eda0d6259c38a8121afdd5b6054147fb12ae28208718d132268f0b
SSDEEP

1536:7ltiiF4A0A/w3FIa0rYkkleP9dHfJyIwoKqZ/eVRuEW11j:hU6D3se1dHhyIw30/Sgj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msiexec.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1862528627 = "C:\\PROGRA~3\\mszowe.exe"	msiexec.exe

Blocklisted process makes network request 9 IoCs

Processes:

msiexec.exe

flow	pid	process
2	520	msiexec.exe
3	520	msiexec.exe
4	520	msiexec.exe
6	520	msiexec.exe
7	520	msiexec.exe
8	520	msiexec.exe
9	520	msiexec.exe
11	520	msiexec.exe
13	520	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Suspicious use of SetThreadContext 1 IoCs

Processes:

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe

description	pid	process	target process
PID 976 set thread context of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File opened for modification C:\PROGRA~3\mszowe.exe msiexec.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\mszowe.exe	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exeadf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exemsiexec.exe

pid	process
976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
520	msiexec.exe
520	msiexec.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exemsiexec.exe

pid	process
780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe
520	msiexec.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

msiexec.exe

pid process

520 msiexec.exe

pid	process
520	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
Token: SeBackupPrivilege	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
Token: SeRestorePrivilege	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
Token: SeDebugPrivilege	520	msiexec.exe
Token: SeBackupPrivilege	520	msiexec.exe
Token: SeRestorePrivilege	520	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exeadf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe

description	pid	process	target process
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 976 wrote to memory of 780	976	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe
PID 780 wrote to memory of 520	780	adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
"C:\Users\Admin\AppData\Local\Temp\adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe
"C:\Users\Admin\AppData\Local\Temp\adf35e12461a9da48969ed7ac4b0e3198012c0ae266ff4685aacfdb0966a5bc1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Adds policy Run key to start application
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-63-0x0000000000000000-mapping.dmp

Download
memory/520-66-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/520-67-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/780-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-60-0x00000000004016C3-mapping.dmp

Download
memory/780-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/780-65-0x000000007EF90000-0x000000007EF96000-memory.dmp

Filesize
24KB

Download
memory/976-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/976-61-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads