b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551

General

Target

b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe
Size

261KB
MD5

abf33ab05d3f2b8c19018364def0861b
SHA1

50b043c9ba3fa99ac3e968e2deedbd5323f21eff
SHA256

b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551
SHA512

f0709f0dd6bdd5813a0a684ac603cecdb9e43614608d8b09450365c5b7d7176b5e440142d2e5e5806ab28e92f65e57f982589365b2780b5fe2742bb89c0cde1a
SSDEEP

6144:MO8Ix8uaN7WmevRgAwlZpcz0t2YVFV+vTzs+OO2Mm:MO8I8WmevYo3YVz+vXsLO2/

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rjrwzmzis.exe	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rjrwzmzis.exe\DisableExceptionChainValidation	notepad.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

notepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	notepad.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\ProgramData\ghtsyuabnjagsfsha\desktop.ini notepad.exe

description	ioc	process
File created	C:\ProgramData\ghtsyuabnjagsfsha\desktop.ini	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe

description	pid	process	target process
PID 1592 set thread context of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

notepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	notepad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	notepad.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1704 schtasks.exe

pid	process
1704	schtasks.exe

Modifies registry class 7 IoCs

Processes:

notepad.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}\64370839\CG1\HAL = 05ee0000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}\64370839\ê'èt3	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}\64370839\ê'èt3\BID = 200008001d000b00e6070000140000001d0016002a00260000000000de8a8663	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}\64370839\CG1	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{38C7B300-CEF9-E941-B4D8-876C8395D4F8}\64370839	notepad.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

notepad.exe

pid process

1724 notepad.exe
1724 notepad.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

notepad.exe

description pid process

Token: SeRestorePrivilege 1724 notepad.exe
Token: SeBackupPrivilege 1724 notepad.exe
Token: SeDebugPrivilege 1724 notepad.exe

pid	process
1724	notepad.exe
1724	notepad.exe

description	pid	process
Token: SeRestorePrivilege	1724	notepad.exe
Token: SeBackupPrivilege	1724	notepad.exe
Token: SeDebugPrivilege	1724	notepad.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exenotepad.exe

description	pid	process	target process
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1592 wrote to memory of 1724	1592	b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe	notepad.exe
PID 1724 wrote to memory of 1704	1724	notepad.exe	schtasks.exe
PID 1724 wrote to memory of 1704	1724	notepad.exe	schtasks.exe
PID 1724 wrote to memory of 1704	1724	notepad.exe	schtasks.exe
PID 1724 wrote to memory of 1704	1724	notepad.exe	schtasks.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe
PID 1724 wrote to memory of 1048	1724	notepad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe
"C:\Users\Admin\AppData\Local\Temp\b4911217679701fd9f307170d4ce81a70467aa27126316644e202bd20d547551.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x64370839" /TR "C:\ProgramData\ghtsyuabnjagsfsha\rjrwzmzis.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Security Software Discovery

1

T1063

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-79-0x0000000077530000-0x00000000776B1000-memory.dmp

Filesize
1.5MB

Download
memory/1048-78-0x0000000000180000-0x00000000001FA000-memory.dmp

Filesize
488KB

Download
memory/1048-77-0x0000000077530000-0x00000000776B1000-memory.dmp

Filesize
1.5MB

Download
memory/1048-76-0x0000000000180000-0x00000000001FA000-memory.dmp

Filesize
488KB

Download
memory/1048-74-0x0000000000000000-mapping.dmp

Download
memory/1592-55-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1592-65-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-73-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-63-0x000000000040120A-mapping.dmp

Download
memory/1724-69-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/1724-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-72-0x00000000000B0000-0x00000000000BB000-memory.dmp

Filesize
44KB

Download
memory/1724-71-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/1724-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-75-0x00000000004C0000-0x000000000050B000-memory.dmp

Filesize
300KB

Download
memory/1724-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1724-56-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads