369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

General

Target

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
Size

642KB
MD5

a9d1f6ab9f83e46f0a3c6b1d2b8cafd2
SHA1

a1204f18c910fff65daa7f43d31a3fef5f2910d1
SHA256

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4
SHA512

2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981
SSDEEP

12288:vJOVDKwcJrtkw74Iv5Qb40r2EmT806Vb7KQnOlY0UOFeRIn:vYVDJorqwEIBQsRoBNKysY0/MRIn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kwrsnmf.exe

pid process

972 kwrsnmf.exe

pid	process
972	kwrsnmf.exe

Modifies registry class 8 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139804955367450"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133139805369899053"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133139805370365903"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exekwrsnmf.exe

pid	process
3184	369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
3184	369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
972	kwrsnmf.exe
972	kwrsnmf.exe
972	kwrsnmf.exe
972	kwrsnmf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

kwrsnmf.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	972	kwrsnmf.exe
Token: SeTcbPrivilege	788	svchost.exe
Token: SeTcbPrivilege	788	svchost.exe
Token: SeTcbPrivilege	788	svchost.exe
Token: SeTcbPrivilege	788	svchost.exe
Token: SeTcbPrivilege	788	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

kwrsnmf.exesvchost.exe

description	pid	process	target process
PID 972 wrote to memory of 788	972	kwrsnmf.exe	svchost.exe
PID 788 wrote to memory of 4928	788	svchost.exe	backgroundTaskHost.exe
PID 788 wrote to memory of 4928	788	svchost.exe	backgroundTaskHost.exe
PID 788 wrote to memory of 4928	788	svchost.exe	backgroundTaskHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4928

C:\Users\Admin\AppData\Local\Temp\369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe
"C:\Users\Admin\AppData\Local\Temp\369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\miylefa

Filesize
654B

MD5
d3ca7c0b49c2559b63da15fe5ca41b0f

SHA1
c02f8dc017ef86f1a980b341559357dc0ad9b955

SHA256
6449fd6f58427f9df6800e056d93b8efd5cd40fa23c029e171bc0f912a903cc3

SHA512
784701a5ebc94ccdb64b3c142d5558b67e421d2f3bcceac1afaf64fee21520639c2a06e4423696c7a52509b88f8f9e10ab45ace35abee7f16f13d02a98a31098

Download Submit
C:\ProgramData\Microsoft OneDrive\miylefa

Filesize
654B

MD5
55e7d0fd2cccf0b300392ab1c570a393

SHA1
1d8a603ce17ee4a4d15bf5a7b6dc9fb7db962886

SHA256
61216a30946db9bd152a5507e22b6f96dad716ac70cae967547eca29ee8f1afc

SHA512
cce573ad7f34f8a08b890a42eb101fe4e8312252a4b3715e2e59478e545203a9ceeed335c85ed3245720270bb48bbec386ff03b8fa855366c8e5851015a9a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe

Filesize
642KB

MD5
a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

SHA1
a1204f18c910fff65daa7f43d31a3fef5f2910d1

SHA256
369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

SHA512
2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe

Filesize
642KB

MD5
a9d1f6ab9f83e46f0a3c6b1d2b8cafd2

SHA1
a1204f18c910fff65daa7f43d31a3fef5f2910d1

SHA256
369398deff9e11a852c3fd414b6288c380b554ccfee1aa16f8e23c8db8f760b4

SHA512
2dc3b0449a66baff43b1f3b1fe94f9b71deb9b6eaf98b34b5d8fa44ddbe952cfa264de5eea96899f2d2bc6e46bb491042f8244c86ddfc2bc6f65ae053885b981

Download Submit
memory/788-138-0x0000000038250000-0x00000000382BD000-memory.dmp

Filesize
436KB

Download
memory/972-137-0x0000000000C60000-0x0000000000E8D000-memory.dmp

Filesize
2.2MB

Download
memory/3184-132-0x00000000016C0000-0x00000000018BC000-memory.dmp

Filesize
2.0MB

Download
memory/3184-133-0x00000000018C0000-0x0000000001AED000-memory.dmp

Filesize
2.2MB

Download
memory/4928-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads