8bcfa449062c2506a83b284fef5b67614f8e474b771178a4ecee7c9a27039691

General

Target

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Size

176KB
MD5

5095f22cbdd7c59303fb7d670c97afa5
SHA1

35712036e76c5215b512f9ddb73321617387a98c
SHA256

79e4ffae8c0d0abd80d090d5f3465855b25955509e78d0ced3eab4cfa6d43015
SHA512

9c4815c773a1b57c1178056fec3063894869b51af02cca52baf94a8ee1644d90a2b7444951979f15ecf90f718ad920353cf21927e754158580e479ea5106c0fc
SSDEEP

3072:5KzHNmI+9MEJRuOmz1C+cSQStd3jUQdW6OTHeOO16ogZrssN6wc+ga0Mhze:5qHByNJGBC+Cqz14TE6dZr5PQ

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1204 cmd.exe

pid	process
1204	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\usrbdvpp.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Identities\\usrbdvpp.exe\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe

description	pid	process	target process
PID 2032 set thread context of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeRG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXE

pid	process
2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE

pid	process
1368	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
Token: SeDebugPrivilege	1368	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
1368 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE
1368 Explorer.EXE

pid	process
1368	Explorer.EXE
1368	Explorer.EXE

pid	process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe

pid	process
2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1368 Explorer.EXE

pid	process
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeRG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exeExplorer.EXE

description	pid	process	target process
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 2032 wrote to memory of 944	2032	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
PID 944 wrote to memory of 1204	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 944 wrote to memory of 1204	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 944 wrote to memory of 1204	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 944 wrote to memory of 1204	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	cmd.exe
PID 944 wrote to memory of 1368	944	RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe	Explorer.EXE
PID 1368 wrote to memory of 1232	1368	Explorer.EXE	taskhost.exe
PID 1368 wrote to memory of 1328	1368	Explorer.EXE	Dwm.exe
PID 1368 wrote to memory of 1204	1368	Explorer.EXE	cmd.exe
PID 1368 wrote to memory of 320	1368	Explorer.EXE	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
"C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
C:\Users\Admin\AppData\Local\Temp\RG928200002_2014_november_00000329320.023042490280.0324980000038-0000006.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\MS6374~1.BAT"
4⤵
- Deletes itself
PID:1204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95036919215964192354743884261089658069-1474475517914217601045104048-730833611"
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms6374069.bat
Filesize
201B

MD5
1bbc6555429d4c9e7b50b45fd47d1ff4

SHA1
2f5aa5a0e44ff71811d46588924dc3f737edcd36

SHA256
6db0039bd2cc78673123049b4e4dba494437187044d38e4bb324132a9180d6bf

SHA512
42ff47b51b389d3c33a8c9854b233902728cb73fef05b2c6517ba50e8509107a273d275e1e6c596740e3a86ceb53043d2f8c0076ceec5a51c3a3ea0d0c08ad3a

Download Submit
memory/320-86-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/320-88-0x00000000000A0000-0x00000000000B7000-memory.dmp

Filesize
92KB

Download
memory/944-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-64-0x00000000004010C0-mapping.dmp

Download
memory/944-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1204-71-0x0000000000000000-mapping.dmp

Download
memory/1204-81-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1232-80-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1232-89-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1328-83-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1328-91-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/1368-75-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1368-72-0x0000000002570000-0x0000000002587000-memory.dmp

Filesize
92KB

Download
memory/1368-90-0x0000000002570000-0x0000000002587000-memory.dmp

Filesize
92KB

Download
memory/1368-92-0x0000000002570000-0x0000000002587000-memory.dmp

Filesize
92KB

Download
memory/1368-93-0x000007FEF6DD0000-0x000007FEF6F13000-memory.dmp

Filesize
1.3MB

Download
memory/1368-94-0x000007FF523A0000-0x000007FF523AA000-memory.dmp

Filesize
40KB

Download
memory/2032-66-0x0000000000350000-0x0000000000354000-memory.dmp

Filesize
16KB

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads