215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6

General

Target

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Size

147KB
MD5

cb2d6ea208bbd1e42fb69ceb461d2f72
SHA1

a88ca24aeef56d692feff6fe0f0ac9df09a82796
SHA256

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6
SHA512

e8a5be38e7f06b751068b3d43e56fe8a82d73c796e8f8044498878e1bd8cc7b0d497e34f81b74c753235e7af4a6a196981c515a4778fc7cc8a62ca7505fa3301
SSDEEP

3072:FaJvDmCOU4piJA7vrOaUNC3Hjljb7K/w/qKewWZIiB64d5vPtjnXuG:FaJvqvU4lrOR83U/wCwWqild5vPl

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\ \\...\\\u202eﯹ๛\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\GoogleUpdate.exe\" <"	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

276 cmd.exe

pid	process
276	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\GoogleUpdate.exe\" >"	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini
File created \systemroot\assembly\GAC_32\Desktop.ini
Suspicious use of SetThreadContext 1 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description pid process target process

PID 1204 set thread context of 276 1204 215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe cmd.exe

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini
File created	\systemroot\assembly\GAC_32\Desktop.ini

description	pid	process	target process
PID 1204 set thread context of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe

Drops file in Program Files directory 22 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@\:@
File created	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\GoogleUpdate.exe	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

NTFS ADS 19 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@\:@
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

pid	process
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
468

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1288

pid	process
1288

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

pid	process
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	pid	process
Token: SeRestorePrivilege	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Token: SeDebugPrivilege	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Token: SeDebugPrivilege	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Token: SeRestorePrivilege	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeBackupPrivilege	468
Token: SeRestorePrivilege	468
Token: SeSecurityPrivilege	468
Token: SeTakeOwnershipPrivilege	468
Token: SeDebugPrivilege	468

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1288
1288
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1288
1288

pid	process
1288
1288

pid	process
1288
1288

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe

description	pid	process	target process
PID 1204 wrote to memory of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe
PID 1204 wrote to memory of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe
PID 1204 wrote to memory of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe
PID 1204 wrote to memory of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe
PID 1204 wrote to memory of 276	1204	215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe
"C:\Users\Admin\AppData\Local\Temp\215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6.exe"
1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@

Filesize
2KB

MD5
3758a13eeaae659f000bdeb702d10d81

SHA1
0521d94498a926c1fe18af81b153f47f15f03901

SHA256
4a4570aabe036ba4e83fde69c06c76ddc4388fabdc6058fc0e1f92f8b79024a7

SHA512
51994d508fdfd8ed0895f7353e4530fa61776be67dfbaa19e6d9b0930407a45e09d8e9e53e765db38c379be003dfbe503b62471a6e07e429566e2dc401d3a991

Download Submit
memory/276-59-0x0000000000000000-mapping.dmp

Download
memory/468-58-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/468-62-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-55-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1204-56-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/1204-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1288-57-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads