dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0

General

Target

dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe
Size

65KB
MD5

31e108cd5594b0424efbeeabf224824d
SHA1

2d455f8f7aa028d0afdc7b7fa2ef2e8a6a3c7c44
SHA256

dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0
SHA512

46ae05132ff620fe3043fb5ca6644df76a892268eb08d5931b5546c020e7db6d25af9cc63143f400e6fc4f53027e13e7bc23dbaeff4b52f98ab012dbf8c5aba5
SSDEEP

1536:Xt4ILg8vM2SRMxCqbS75mfu/+/sKUIXynYAvrS3MKBb:NlM2SEbSSCSs1IC7vm8KBb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
608	5FEB3DB3.EXE

Deletes itself 1 IoCs

pid	Process
1944	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe
1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\5FEB3DB3 = "C:\\Users\\Admin\\AppData\\Roaming\\5FEB3DB3\\5FEB3DB3.EXE"	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
608	5FEB3DB3.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe
Token: SeDebugPrivilege	608	5FEB3DB3.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 608	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	26
PID 1348 wrote to memory of 608	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	26
PID 1348 wrote to memory of 608	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	26
PID 1348 wrote to memory of 608	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	26
PID 608 wrote to memory of 1272	608	5FEB3DB3.EXE	10
PID 608 wrote to memory of 1272	608	5FEB3DB3.EXE	10
PID 608 wrote to memory of 1272	608	5FEB3DB3.EXE	10
PID 608 wrote to memory of 1272	608	5FEB3DB3.EXE	10
PID 608 wrote to memory of 1272	608	5FEB3DB3.EXE	10
PID 1348 wrote to memory of 1944	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	27
PID 1348 wrote to memory of 1944	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	27
PID 1348 wrote to memory of 1944	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	27
PID 1348 wrote to memory of 1944	1348	dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe
  "C:\Users\Admin\AppData\Local\Temp\dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\5FEB3DB3\5FEB3DB3.EXE
    "C:\Users\Admin\AppData\Roaming\5FEB3DB3\5FEB3DB3.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\POS6EDA.tmp.BAT"
    3⤵
    - Deletes itself
    PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\POS6EDA.tmp.BAT

Filesize
322B

MD5
68c474ca6f6de9f7bd06714976fe0ede

SHA1
67180d55d9abea69c4956f268d3e9a4d17431bc1

SHA256
2212a521132b74e3416ff74a1e92eae90f8e34be8119dfa05659f2ffab9d73de

SHA512
6af271dc10897c87f108349d70a6c53995764b52668d0ac7237563e86ff685df419188afd1cf9f7984bdddc1b4e7bbcbae4ac1200f9b576a175359d274a05866

Download Submit
C:\Users\Admin\AppData\Roaming\5FEB3DB3\5FEB3DB3.EXE

Filesize
65KB

MD5
31e108cd5594b0424efbeeabf224824d

SHA1
2d455f8f7aa028d0afdc7b7fa2ef2e8a6a3c7c44

SHA256
dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0

SHA512
46ae05132ff620fe3043fb5ca6644df76a892268eb08d5931b5546c020e7db6d25af9cc63143f400e6fc4f53027e13e7bc23dbaeff4b52f98ab012dbf8c5aba5

Download Submit
\Users\Admin\AppData\Roaming\5FEB3DB3\5FEB3DB3.EXE

Filesize
65KB

MD5
31e108cd5594b0424efbeeabf224824d

SHA1
2d455f8f7aa028d0afdc7b7fa2ef2e8a6a3c7c44

SHA256
dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0

SHA512
46ae05132ff620fe3043fb5ca6644df76a892268eb08d5931b5546c020e7db6d25af9cc63143f400e6fc4f53027e13e7bc23dbaeff4b52f98ab012dbf8c5aba5

Download Submit
\Users\Admin\AppData\Roaming\5FEB3DB3\5FEB3DB3.EXE

Filesize
65KB

MD5
31e108cd5594b0424efbeeabf224824d

SHA1
2d455f8f7aa028d0afdc7b7fa2ef2e8a6a3c7c44

SHA256
dd8796c43a139741c0275f427d4504075d20221680c7e8a391970a4a86f72af0

SHA512
46ae05132ff620fe3043fb5ca6644df76a892268eb08d5931b5546c020e7db6d25af9cc63143f400e6fc4f53027e13e7bc23dbaeff4b52f98ab012dbf8c5aba5

Download Submit
memory/608-76-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/608-77-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1272-75-0x0000000002740000-0x0000000002761000-memory.dmp

Filesize
132KB

Download
memory/1272-73-0x0000000002740000-0x0000000002761000-memory.dmp

Filesize
132KB

Download
memory/1348-60-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1348-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1348-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing