292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306

General

Target

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
Size

186KB
MD5

e37df4d6ab79c1d785e4883cb2e16788
SHA1

009cbcab2c799d9d08a391861d7747bf2625da8a
SHA256

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306
SHA512

a9eead45002a2e6643534887e2fe9ff117cb0f0f498ac8d7b0e4e4a7c524ace52bbef65c3cd700a98197279cae34924ee3bf9bd279e2882f42ab0b1c029a66c0
SSDEEP

3072:ON+fbmcn+DPc4x4wSzHQBSrhnGZq9WodVsSCPy2Ddwln5IR:c+fbV+ZxLSzzJGZ0sSyy5I

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\32593 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mszwkybo.scr"	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description	pid	process	target process
PID 1668 set thread context of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\mszwkybo.scr svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe svchost.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\mszwkybo.scr	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

AppLaunch.exe292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

pid	process
3836	AppLaunch.exe
3836	AppLaunch.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exe

pid process

3836 AppLaunch.exe
3836 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description pid process

Token: SeDebugPrivilege 1668 292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

description	pid	process
Token: SeDebugPrivilege	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exeAppLaunch.exe

description	pid	process	target process
PID 1668 wrote to memory of 2388	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 2388	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 2388	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 3184	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 3184	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 3184	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	CMD.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 1668 wrote to memory of 3836	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	AppLaunch.exe
PID 3836 wrote to memory of 3572	3836	AppLaunch.exe	svchost.exe
PID 3836 wrote to memory of 3572	3836	AppLaunch.exe	svchost.exe
PID 3836 wrote to memory of 3572	3836	AppLaunch.exe	svchost.exe
PID 1668 wrote to memory of 2540	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 2540	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1544	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1544	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1660	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1660	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 3172	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 3172	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 4812	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 4812	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1192	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe
PID 1668 wrote to memory of 1192	1668	292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe
"C:\Users\Admin\AppData\Local\Temp\292a611fb6fdcf397ca67d2d35a541c8427f480a9b468f640306e00ad6912306.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:2388

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:3184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
2⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3572

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:2540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1544

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:3172

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:4812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-147-0x0000000000000000-mapping.dmp

Download
memory/1544-143-0x0000000000000000-mapping.dmp

Download
memory/1660-144-0x0000000000000000-mapping.dmp

Download
memory/1668-133-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1668-148-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1668-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2388-134-0x0000000000000000-mapping.dmp

Download
memory/2540-142-0x0000000000000000-mapping.dmp

Download
memory/3172-145-0x0000000000000000-mapping.dmp

Download
memory/3184-135-0x0000000000000000-mapping.dmp

Download
memory/3572-140-0x0000000000AE0000-0x0000000000AE5000-memory.dmp

Filesize
20KB

Download
memory/3572-141-0x0000000000AE0000-0x0000000000AE5000-memory.dmp

Filesize
20KB

Download
memory/3572-139-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/3572-138-0x0000000000000000-mapping.dmp

Download
memory/3836-137-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3836-136-0x0000000000000000-mapping.dmp

Download
memory/4812-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads