17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641

General

Target

17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Size

278KB
MD5

d0967914b98789b8c5a033e2e6a9a1f8
SHA1

bd6226241265548bacac3a288e654a2b52acf31b
SHA256

17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641
SHA512

e97a9ea92864bc9cc9795b665a13be3862916a786de316801759c26ad85c78d3d053b8b7c3bfec201039f474d0471873cd6a11e3dd074fa35734951eb3d3db50
SSDEEP

6144:dQDds6bxOU8ytpJP/+HFLNSFpEBax8CqRZ:SDG6b98yJYNJax8Cq

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\juqsvyqvq.exe\DisableExceptionChainValidation	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\juqsvyqvq.exe	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\random = "\"C:\\ProgramData\\randomfolder\\juqsvyqvq.exe\""	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	RegSvcs.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\ProgramData\randomfolder\desktop.ini	RegSvcs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1708	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\CW1\108 = 88000000a00200008df104021e010600	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\CG1\HAL = 05ee0000	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\ê'u3	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0	RegSvcs.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\ê'u3\BID = 200008001d000b00e6070000140000001d00070033001e000000000002ba8563	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\CS1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\CW1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{ABA091C3-307A-AA4F-ABEF-1E7C04520AD5}\589C06E0\CG1	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1712	RegSvcs.exe
1712	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Token: SeRestorePrivilege	1712	RegSvcs.exe
Token: SeBackupPrivilege	1712	RegSvcs.exe
Token: SeDebugPrivilege	1712	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 108 wrote to memory of 1712	108	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	28
PID 1712 wrote to memory of 1708	1712	RegSvcs.exe	29
PID 1712 wrote to memory of 1708	1712	RegSvcs.exe	29
PID 1712 wrote to memory of 1708	1712	RegSvcs.exe	29
PID 1712 wrote to memory of 1708	1712	RegSvcs.exe	29
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31
PID 1712 wrote to memory of 1180	1712	RegSvcs.exe	31

C:\Users\Admin\AppData\Local\Temp\17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
"C:\Users\Admin\AppData\Local\Temp\17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Sets file execution options in registry
  - Checks for any installed AV software in registry
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x589C06E0" /TR "C:\ProgramData\randomfolder\juqsvyqvq.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    "C:\Windows\SysWOW64\WerFault.exe"
    3⤵
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Security Software Discovery

1

T1063

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-81-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/108-80-0x00000000021D0000-0x00000000021DB000-memory.dmp

Filesize
44KB

Download
memory/108-77-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/108-67-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-79-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download
memory/1180-78-0x00000000778D0000-0x0000000077A51000-memory.dmp

Filesize
1.5MB

Download
memory/1180-76-0x0000000000090000-0x00000000000DE000-memory.dmp

Filesize
312KB

Download
memory/1180-75-0x00000000778D0000-0x0000000077A51000-memory.dmp

Filesize
1.5MB

Download
memory/1712-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-71-0x0000000000260000-0x000000000026B000-memory.dmp

Filesize
44KB

Download
memory/1712-69-0x0000000000090000-0x00000000000DB000-memory.dmp

Filesize
300KB

Download
memory/1712-68-0x0000000000090000-0x00000000000DB000-memory.dmp

Filesize
300KB

Download
memory/1712-74-0x0000000000090000-0x00000000000DB000-memory.dmp

Filesize
300KB

Download
memory/1712-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1712-55-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads