77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c

General

Target

77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe
Size

76KB
MD5

c80f556153f4798901692cce450bbb60
SHA1

ceffdae200685c6cc6e9f0a71748346e157e86b0
SHA256

77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c
SHA512

1e4e7a88e5fe217e3c5e80415d11203a192db43814feee4b2d53b107d9047dd37ec491195776ea400ecb92723c464c4d02cac2430c8ea552b5697cd08bc50c4c
SSDEEP

768:nu17djCLTWQ+LMmdjjQ4hsMg8jfVjIbdu+KdoJzc5XvHFcoIPwHCO1XSBcb9KEsh:nuzCveYzsFZmboCq5ahO+c5KEsh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1784 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

596 cmd.exe
596 cmd.exe

pid	process
1784	svchost.exe

pid	process
596	cmd.exe
596	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regini.exeregini.exesvchost.exeregini.exeregini.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\73339737\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\73339737\\svchost.exe"	svchost.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1112 sc.exe
Runs net.exe

pid	process
1112	sc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.execmd.execmd.execmd.exesvchost.exenet.exe

description	pid	process	target process
PID 1632 wrote to memory of 1320	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1320	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1320	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1320	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1320 wrote to memory of 952	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 952	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 952	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 952	1320	cmd.exe	cmd.exe
PID 1320 wrote to memory of 1220	1320	cmd.exe	cacls.exe
PID 1320 wrote to memory of 1220	1320	cmd.exe	cacls.exe
PID 1320 wrote to memory of 1220	1320	cmd.exe	cacls.exe
PID 1320 wrote to memory of 1220	1320	cmd.exe	cacls.exe
PID 1632 wrote to memory of 1828	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1828	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1828	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 1828	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1828 wrote to memory of 1836	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 1836	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 1836	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 1836	1828	cmd.exe	cmd.exe
PID 1828 wrote to memory of 288	1828	cmd.exe	cacls.exe
PID 1828 wrote to memory of 288	1828	cmd.exe	cacls.exe
PID 1828 wrote to memory of 288	1828	cmd.exe	cacls.exe
PID 1828 wrote to memory of 288	1828	cmd.exe	cacls.exe
PID 1632 wrote to memory of 596	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 596	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 596	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 1632 wrote to memory of 596	1632	77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe	cmd.exe
PID 596 wrote to memory of 1784	596	cmd.exe	svchost.exe
PID 596 wrote to memory of 1784	596	cmd.exe	svchost.exe
PID 596 wrote to memory of 1784	596	cmd.exe	svchost.exe
PID 596 wrote to memory of 1784	596	cmd.exe	svchost.exe
PID 1784 wrote to memory of 616	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 616	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 616	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 616	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 520	1784	svchost.exe	net.exe
PID 1784 wrote to memory of 520	1784	svchost.exe	net.exe
PID 1784 wrote to memory of 520	1784	svchost.exe	net.exe
PID 1784 wrote to memory of 520	1784	svchost.exe	net.exe
PID 1784 wrote to memory of 1112	1784	svchost.exe	sc.exe
PID 1784 wrote to memory of 1112	1784	svchost.exe	sc.exe
PID 1784 wrote to memory of 1112	1784	svchost.exe	sc.exe
PID 1784 wrote to memory of 1112	1784	svchost.exe	sc.exe
PID 1784 wrote to memory of 760	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 760	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 760	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 760	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 1772	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 1772	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 1772	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 1772	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 2008	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 2008	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 2008	1784	svchost.exe	regini.exe
PID 1784 wrote to memory of 2008	1784	svchost.exe	regini.exe
PID 520 wrote to memory of 436	520	net.exe	net1.exe
PID 520 wrote to memory of 436	520	net.exe	net1.exe
PID 520 wrote to memory of 436	520	net.exe	net1.exe
PID 520 wrote to memory of 436	520	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe
"C:\Users\Admin\AppData\Local\Temp\77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\73339737\svchost.exe" /P "Admin:R"
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:952

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\73339737\svchost.exe" /P "Admin:R"
3⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\73339737" /P "Admin:R"
2⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1836

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\73339737" /P "Admin:R"
3⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\73339737\svchost.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Roaming\73339737\svchost.exe
C:\Users\Admin\AppData\Roaming\73339737\svchost.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:436

C:\Windows\SysWOW64\regini.exe
regini per
4⤵
- Adds Run key to start application
PID:616

C:\Windows\SysWOW64\sc.exe
sc config MpsSvc start= disabled
4⤵
- Launches sc.exe
PID:1112

C:\Windows\SysWOW64\regini.exe
regini perper
4⤵
- Adds Run key to start application
PID:760

C:\Windows\SysWOW64\regini.exe
regini perperper
4⤵
- Adds Run key to start application
PID:1772

C:\Windows\SysWOW64\regini.exe
regini perperperper
4⤵
- Adds Run key to start application
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\per
Filesize
68B

MD5
77612e763aacc6671e0c81713b419a41

SHA1
99c986a0e3bc15532bbca5a18ff90de93fefe7fc

SHA256
08f53032b63ada0a816ab77088624bef24a5451b7c7e0de05f958e5bd4e6977b

SHA512
99f94d1016eb7bff8deed9eb68c6d26756b2b02a30c4aa5dcc111429e0117acfbc15d7f4119fe06abead5039ee241afc1e6756d2e2250a08fcc818a50598b6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\perper
Filesize
68B

MD5
a6585d9cf9d692905da3ed6c1b9dd4c1

SHA1
166b3aece6d5a7d172acd0a1327af9265a5bf5d4

SHA256
50a38aee5de374bab740c163c3debc500041a2ee3aad01d466347eecf2540015

SHA512
a402fcebe80023edc9322adeecc89b8df845a80061008c26b890e33636869817460b57a326ee65dcd2bd7275933f9407be96aba7bfeae17530b55985ad00c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperper
Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperperper
Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Roaming\73339737\svchost.exe
Filesize
76KB

MD5
c80f556153f4798901692cce450bbb60

SHA1
ceffdae200685c6cc6e9f0a71748346e157e86b0

SHA256
77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c

SHA512
1e4e7a88e5fe217e3c5e80415d11203a192db43814feee4b2d53b107d9047dd37ec491195776ea400ecb92723c464c4d02cac2430c8ea552b5697cd08bc50c4c

Download Submit
\??\c:\users\admin\appdata\roaming\73339737\svchost.exe
Filesize
76KB

MD5
c80f556153f4798901692cce450bbb60

SHA1
ceffdae200685c6cc6e9f0a71748346e157e86b0

SHA256
77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c

SHA512
1e4e7a88e5fe217e3c5e80415d11203a192db43814feee4b2d53b107d9047dd37ec491195776ea400ecb92723c464c4d02cac2430c8ea552b5697cd08bc50c4c

Download Submit
\Users\Admin\AppData\Roaming\73339737\svchost.exe
Filesize
76KB

MD5
c80f556153f4798901692cce450bbb60

SHA1
ceffdae200685c6cc6e9f0a71748346e157e86b0

SHA256
77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c

SHA512
1e4e7a88e5fe217e3c5e80415d11203a192db43814feee4b2d53b107d9047dd37ec491195776ea400ecb92723c464c4d02cac2430c8ea552b5697cd08bc50c4c

Download Submit
\Users\Admin\AppData\Roaming\73339737\svchost.exe
Filesize
76KB

MD5
c80f556153f4798901692cce450bbb60

SHA1
ceffdae200685c6cc6e9f0a71748346e157e86b0

SHA256
77998d6e1369d8666340525d9fb941b93fe5cfb6c02a045d78f736ae57aac56c

SHA512
1e4e7a88e5fe217e3c5e80415d11203a192db43814feee4b2d53b107d9047dd37ec491195776ea400ecb92723c464c4d02cac2430c8ea552b5697cd08bc50c4c

Download Submit
memory/288-61-0x0000000000000000-mapping.dmp

Download
memory/436-78-0x0000000000000000-mapping.dmp

Download
memory/520-69-0x0000000000000000-mapping.dmp

Download
memory/596-62-0x0000000000000000-mapping.dmp

Download
memory/616-68-0x0000000000000000-mapping.dmp

Download
memory/760-72-0x0000000000000000-mapping.dmp

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1112-70-0x0000000000000000-mapping.dmp

Download
memory/1220-57-0x0000000000000000-mapping.dmp

Download
memory/1320-55-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1772-74-0x0000000000000000-mapping.dmp

Download
memory/1784-65-0x0000000000000000-mapping.dmp

Download
memory/1828-59-0x0000000000000000-mapping.dmp

Download
memory/1836-60-0x0000000000000000-mapping.dmp

Download
memory/2008-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing