17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641

General

Target

17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Size

278KB
MD5

d0967914b98789b8c5a033e2e6a9a1f8
SHA1

bd6226241265548bacac3a288e654a2b52acf31b
SHA256

17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641
SHA512

e97a9ea92864bc9cc9795b665a13be3862916a786de316801759c26ad85c78d3d053b8b7c3bfec201039f474d0471873cd6a11e3dd074fa35734951eb3d3db50
SSDEEP

6144:dQDds6bxOU8ytpJP/+HFLNSFpEBax8CqRZ:SDG6b98yJYNJax8Cq

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uugbgiyxh.exe	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uugbgiyxh.exe\DisableExceptionChainValidation	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random = "\"C:\\ProgramData\\randomfolder\\uugbgiyxh.exe\""	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	RegSvcs.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
File created	C:\ProgramData\randomfolder\desktop.ini	RegSvcs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
File created	C:\Windows\assembly\Desktop.ini	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4916	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CG1	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}	RegSvcs.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CG1\HAL = 05ee0000	RegSvcs.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CG1\BID = 200008001d000b00e6070000140000001d00070033001a0000000000feb98563	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CS1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0	RegSvcs.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CW1	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{A32C7EBE-DFEA-624B-A41C-54B3B15F83B7}\589C06E0\CW1\3208 = 88000000040600008df1be05f6010700	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2260	RegSvcs.exe
2260	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
Token: SeRestorePrivilege	2260	RegSvcs.exe
Token: SeBackupPrivilege	2260	RegSvcs.exe
Token: SeDebugPrivilege	2260	RegSvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 3208 wrote to memory of 2260	3208	17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe	83
PID 2260 wrote to memory of 4916	2260	RegSvcs.exe	84
PID 2260 wrote to memory of 4916	2260	RegSvcs.exe	84
PID 2260 wrote to memory of 4916	2260	RegSvcs.exe	84
PID 2260 wrote to memory of 4816	2260	RegSvcs.exe	86
PID 2260 wrote to memory of 4816	2260	RegSvcs.exe	86
PID 2260 wrote to memory of 4816	2260	RegSvcs.exe	86

C:\Users\Admin\AppData\Local\Temp\17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe
"C:\Users\Admin\AppData\Local\Temp\17802b7ea044164f5f89d89ab8c7afd5c3a7a92373dc538688945e6f8e39a641.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Sets file execution options in registry
  - Checks for any installed AV software in registry
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x589C06E0" /TR "C:\ProgramData\randomfolder\uugbgiyxh.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    "C:\Windows\SysWOW64\WerFault.exe"
    3⤵
    PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Security Software Discovery

1

T1063

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2260-141-0x0000000002690000-0x000000000269B000-memory.dmp

Filesize
44KB

Download
memory/2260-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2260-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2260-138-0x0000000000A90000-0x0000000000ADB000-memory.dmp

Filesize
300KB

Download
memory/2260-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2260-140-0x0000000000A90000-0x0000000000ADB000-memory.dmp

Filesize
300KB

Download
memory/3208-149-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/3208-146-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3208-148-0x0000000005A00000-0x0000000005ECE000-memory.dmp

Filesize
4.8MB

Download
memory/3208-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3208-150-0x0000000005A00000-0x0000000005ECE000-memory.dmp

Filesize
4.8MB

Download
memory/3208-151-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/3208-152-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3208-153-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4816-144-0x0000000000570000-0x00000000005EB000-memory.dmp

Filesize
492KB

Download
memory/4816-145-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/4816-147-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads