9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a

General

Target

9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe
Size

116KB
MD5

e46533b40da1d470aea6b0f2639cc1fb
SHA1

1bc2240881008a19fdfd7430fd3afc5481caa04a
SHA256

9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a
SHA512

739d82090fc840b8437a2a14b8dd94aadd2881a3734c9a74526fb1d8dd1314d994d97bf083edebc783cbe81f0210e27ee8ac526e47fb895b5f6502562e2807ef
SSDEEP

3072:u7Ns4ln2Ceja1RD4XP999W9l9o999zB999999899fE6e6VE6B999W9l9o999zB9T:ANdlbIP999W9l9o999zB999999899M6D

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	msiexec.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2026435656 = "C:\\ProgramData\\msroav.exe"	msiexec.exe

Blocklisted process makes network request 31 IoCs

flow	pid	Process
2	988	msiexec.exe
4	988	msiexec.exe
6	988	msiexec.exe
7	988	msiexec.exe
10	988	msiexec.exe
12	988	msiexec.exe
13	988	msiexec.exe
14	988	msiexec.exe
16	988	msiexec.exe
17	988	msiexec.exe
18	988	msiexec.exe
20	988	msiexec.exe
21	988	msiexec.exe
22	988	msiexec.exe
24	988	msiexec.exe
25	988	msiexec.exe
26	988	msiexec.exe
27	988	msiexec.exe
28	988	msiexec.exe
29	988	msiexec.exe
30	988	msiexec.exe
31	988	msiexec.exe
32	988	msiexec.exe
33	988	msiexec.exe
34	988	msiexec.exe
35	988	msiexec.exe
36	988	msiexec.exe
37	988	msiexec.exe
38	988	msiexec.exe
39	988	msiexec.exe
40	988	msiexec.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
988	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\Run	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe
816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 1264 wrote to memory of 816	1264	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	28
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29
PID 816 wrote to memory of 988	816	9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe	29

C:\Users\Admin\AppData\Local\Temp\9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe
"C:\Users\Admin\AppData\Local\Temp\9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe
  "C:\Users\Admin\AppData\Local\Temp\9dc62596ec0ef91388425b4f9053eaad3ffa405519969b15ecb426babec7779a.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Deletes itself
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-57-0x0000000000000000-mapping.dmp

Download
memory/816-60-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/816-61-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/988-62-0x0000000000000000-mapping.dmp

Download
memory/988-65-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/988-64-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/988-66-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/988-67-0x000000007EF90000-0x000000007EF97000-memory.dmp

Filesize
28KB

Download
memory/1264-56-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1264-58-0x0000000000450000-0x0000000000456000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads