ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e

General

Target

ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe
Size

75KB
MD5

d363188dc492fb8909b46753e0e6aa9b
SHA1

bb6949630b5141dce2a9c679d052a2e1e85cd171
SHA256

ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e
SHA512

08683e2ef9086139264a653c8f1cf5d0b2adc9e12080232b1882ed69c8575e16ac8c894cf2ef0cc8735b93dfc136e2803ec5d5cb4d4c102711ab88b4815682ee
SSDEEP

1536:6uWi5q5d7rKY61sZxLo+WtYKBjNOvc5KEsh:b1c5dCY6iZhorOk59sh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1080 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1392 cmd.exe
1392 cmd.exe

pid	process
1080	svchost.exe

pid	process
1392	cmd.exe
1392	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeregini.exeregini.exeregini.exeregini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\15273665\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\15273665\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1716 sc.exe
Runs net.exe

pid	process
1716	sc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.execmd.execmd.execmd.exesvchost.exenet.exe

description	pid	process	target process
PID 472 wrote to memory of 1500	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1500	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1500	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1500	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 1500 wrote to memory of 1328	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1328	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1328	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 1328	1500	cmd.exe	cmd.exe
PID 1500 wrote to memory of 912	1500	cmd.exe	cacls.exe
PID 1500 wrote to memory of 912	1500	cmd.exe	cacls.exe
PID 1500 wrote to memory of 912	1500	cmd.exe	cacls.exe
PID 1500 wrote to memory of 912	1500	cmd.exe	cacls.exe
PID 472 wrote to memory of 648	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 648	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 648	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 648	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 648 wrote to memory of 1756	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1756	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1756	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1756	648	cmd.exe	cmd.exe
PID 648 wrote to memory of 1868	648	cmd.exe	cacls.exe
PID 648 wrote to memory of 1868	648	cmd.exe	cacls.exe
PID 648 wrote to memory of 1868	648	cmd.exe	cacls.exe
PID 648 wrote to memory of 1868	648	cmd.exe	cacls.exe
PID 472 wrote to memory of 1392	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1392	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1392	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 472 wrote to memory of 1392	472	ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe	cmd.exe
PID 1392 wrote to memory of 1080	1392	cmd.exe	svchost.exe
PID 1392 wrote to memory of 1080	1392	cmd.exe	svchost.exe
PID 1392 wrote to memory of 1080	1392	cmd.exe	svchost.exe
PID 1392 wrote to memory of 1080	1392	cmd.exe	svchost.exe
PID 1080 wrote to memory of 1528	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1528	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1528	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1528	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1672	1080	svchost.exe	net.exe
PID 1080 wrote to memory of 1672	1080	svchost.exe	net.exe
PID 1080 wrote to memory of 1672	1080	svchost.exe	net.exe
PID 1080 wrote to memory of 1672	1080	svchost.exe	net.exe
PID 1080 wrote to memory of 1716	1080	svchost.exe	sc.exe
PID 1080 wrote to memory of 1716	1080	svchost.exe	sc.exe
PID 1080 wrote to memory of 1716	1080	svchost.exe	sc.exe
PID 1080 wrote to memory of 1716	1080	svchost.exe	sc.exe
PID 1080 wrote to memory of 112	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 112	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 112	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 112	1080	svchost.exe	regini.exe
PID 1672 wrote to memory of 1764	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1764	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1764	1672	net.exe	net1.exe
PID 1672 wrote to memory of 1764	1672	net.exe	net1.exe
PID 1080 wrote to memory of 276	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 276	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 276	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 276	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1140	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1140	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1140	1080	svchost.exe	regini.exe
PID 1080 wrote to memory of 1140	1080	svchost.exe	regini.exe

C:\Users\Admin\AppData\Local\Temp\ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe
"C:\Users\Admin\AppData\Local\Temp\ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\15273665\svchost.exe" /P "Admin:R"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1328

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\15273665\svchost.exe" /P "Admin:R"
3⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\15273665" /P "Admin:R"
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1756

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\15273665" /P "Admin:R"
3⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\15273665\svchost.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Roaming\15273665\svchost.exe
C:\Users\Admin\AppData\Roaming\15273665\svchost.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\regini.exe
regini per
4⤵
- Adds Run key to start application
PID:1528

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:1764

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
4⤵
- Launches sc.exe
PID:1716

C:\Windows\SysWOW64\regini.exe
regini perper
4⤵
- Adds Run key to start application
PID:112

C:\Windows\SysWOW64\regini.exe
regini perperper
4⤵
- Adds Run key to start application
PID:276

C:\Windows\SysWOW64\regini.exe
regini perperperper
4⤵
- Adds Run key to start application
PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\per
Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\perper
Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperper
Filesize
68B

MD5
77612e763aacc6671e0c81713b419a41

SHA1
99c986a0e3bc15532bbca5a18ff90de93fefe7fc

SHA256
08f53032b63ada0a816ab77088624bef24a5451b7c7e0de05f958e5bd4e6977b

SHA512
99f94d1016eb7bff8deed9eb68c6d26756b2b02a30c4aa5dcc111429e0117acfbc15d7f4119fe06abead5039ee241afc1e6756d2e2250a08fcc818a50598b6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperperper
Filesize
68B

MD5
a6585d9cf9d692905da3ed6c1b9dd4c1

SHA1
166b3aece6d5a7d172acd0a1327af9265a5bf5d4

SHA256
50a38aee5de374bab740c163c3debc500041a2ee3aad01d466347eecf2540015

SHA512
a402fcebe80023edc9322adeecc89b8df845a80061008c26b890e33636869817460b57a326ee65dcd2bd7275933f9407be96aba7bfeae17530b55985ad00c65c

Download Submit
C:\Users\Admin\AppData\Roaming\15273665\svchost.exe
Filesize
75KB

MD5
d363188dc492fb8909b46753e0e6aa9b

SHA1
bb6949630b5141dce2a9c679d052a2e1e85cd171

SHA256
ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e

SHA512
08683e2ef9086139264a653c8f1cf5d0b2adc9e12080232b1882ed69c8575e16ac8c894cf2ef0cc8735b93dfc136e2803ec5d5cb4d4c102711ab88b4815682ee

Download Submit
\??\c:\users\admin\appdata\roaming\15273665\svchost.exe
Filesize
75KB

MD5
d363188dc492fb8909b46753e0e6aa9b

SHA1
bb6949630b5141dce2a9c679d052a2e1e85cd171

SHA256
ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e

SHA512
08683e2ef9086139264a653c8f1cf5d0b2adc9e12080232b1882ed69c8575e16ac8c894cf2ef0cc8735b93dfc136e2803ec5d5cb4d4c102711ab88b4815682ee

Download Submit
\Users\Admin\AppData\Roaming\15273665\svchost.exe
Filesize
75KB

MD5
d363188dc492fb8909b46753e0e6aa9b

SHA1
bb6949630b5141dce2a9c679d052a2e1e85cd171

SHA256
ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e

SHA512
08683e2ef9086139264a653c8f1cf5d0b2adc9e12080232b1882ed69c8575e16ac8c894cf2ef0cc8735b93dfc136e2803ec5d5cb4d4c102711ab88b4815682ee

Download Submit
\Users\Admin\AppData\Roaming\15273665\svchost.exe
Filesize
75KB

MD5
d363188dc492fb8909b46753e0e6aa9b

SHA1
bb6949630b5141dce2a9c679d052a2e1e85cd171

SHA256
ba8c11ce14def85cbc2e8a7fdb9caae477bcf736e28fc616fd239eb33f0e925e

SHA512
08683e2ef9086139264a653c8f1cf5d0b2adc9e12080232b1882ed69c8575e16ac8c894cf2ef0cc8735b93dfc136e2803ec5d5cb4d4c102711ab88b4815682ee

Download Submit
memory/112-72-0x0000000000000000-mapping.dmp

Download
memory/276-75-0x0000000000000000-mapping.dmp

Download
memory/472-54-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/648-59-0x0000000000000000-mapping.dmp

Download
memory/912-57-0x0000000000000000-mapping.dmp

Download
memory/1080-65-0x0000000000000000-mapping.dmp

Download
memory/1140-77-0x0000000000000000-mapping.dmp

Download
memory/1328-56-0x0000000000000000-mapping.dmp

Download
memory/1392-62-0x0000000000000000-mapping.dmp

Download
memory/1500-55-0x0000000000000000-mapping.dmp

Download
memory/1528-68-0x0000000000000000-mapping.dmp

Download
memory/1672-69-0x0000000000000000-mapping.dmp

Download
memory/1716-70-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000000000000-mapping.dmp

Download
memory/1764-73-0x0000000000000000-mapping.dmp

Download
memory/1868-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing