1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

General

Target

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
Size

890KB
MD5

edeb5dea8ad10ae0102a5888991036b9
SHA1

8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d
SHA256

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3
SHA512

7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd
SSDEEP

12288:3GjEJ5DY3YJW1QNCfFKVIm3vLZabIIsOihKlz3wp0dN2ZENtLfiIPDtOkYl9a:xn9HI8Ebdihs3K0HPN57PxOM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

vhwmdff.exevhwmdff.exe

pid process

376 vhwmdff.exe
4080 vhwmdff.exe

pid	process
376	vhwmdff.exe
4080	vhwmdff.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exevhwmdff.exe

description	pid	process	target process
PID 2260 set thread context of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 376 set thread context of 4080	376	vhwmdff.exe	vhwmdff.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2860	2260	WerFault.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
3592	376	WerFault.exe	vhwmdff.exe

Modifies registry class 8 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133142452481058996"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133142453117289247"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133142453979476501"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exevhwmdff.exe

pid	process
220	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
220	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
4080	vhwmdff.exe
4080	vhwmdff.exe
4080	vhwmdff.exe
4080	vhwmdff.exe
4080	vhwmdff.exe
4080	vhwmdff.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

vhwmdff.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4080	vhwmdff.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe
Token: SeTcbPrivilege	776	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exevhwmdff.exevhwmdff.exesvchost.exe

description	pid	process	target process
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 2260 wrote to memory of 220	2260	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 376 wrote to memory of 4080	376	vhwmdff.exe	vhwmdff.exe
PID 4080 wrote to memory of 776	4080	vhwmdff.exe	svchost.exe
PID 776 wrote to memory of 3164	776	svchost.exe	backgroundTaskHost.exe
PID 776 wrote to memory of 3164	776	svchost.exe	backgroundTaskHost.exe
PID 776 wrote to memory of 3164	776	svchost.exe	backgroundTaskHost.exe
PID 776 wrote to memory of 4104	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 4104	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 4104	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 944	776	svchost.exe	mousocoreworker.exe
PID 776 wrote to memory of 944	776	svchost.exe	mousocoreworker.exe
PID 776 wrote to memory of 3980	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 3980	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 3980	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 2192	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 2192	776	svchost.exe	BackgroundTransferHost.exe
PID 776 wrote to memory of 2192	776	svchost.exe	BackgroundTransferHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3164
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4104
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:944
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3980
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:2192

C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
"C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
  C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 140
  2⤵
  - Program crash
  PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2260 -ip 2260
1⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 140
  2⤵
  - Program crash
  PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 376 -ip 376
1⤵
PID:3384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\nxzrgth

Filesize
654B

MD5
51bd94dcb99b291f2d9a0da5b8b4364e

SHA1
d2b19b788980cfcbaf76b195796147063ab0442a

SHA256
29c9b30032d458a667b5dc326346b9f763a1254633af2162d8a9ce5759a3b378

SHA512
a213b35560a0200180b098fff2d21e401ce08a4e8a0ff942423c2257c1f113b8be767e3a4a7e1a33263743555430a1bda6ac87b2e15a9483f89a9b51bb721649

Download Submit
C:\ProgramData\Adobe\nxzrgth

Filesize
654B

MD5
51bd94dcb99b291f2d9a0da5b8b4364e

SHA1
d2b19b788980cfcbaf76b195796147063ab0442a

SHA256
29c9b30032d458a667b5dc326346b9f763a1254633af2162d8a9ce5759a3b378

SHA512
a213b35560a0200180b098fff2d21e401ce08a4e8a0ff942423c2257c1f113b8be767e3a4a7e1a33263743555430a1bda6ac87b2e15a9483f89a9b51bb721649

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhwmdff.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
memory/220-135-0x0000000000810000-0x0000000000A2A000-memory.dmp

Filesize
2.1MB

Download
memory/220-136-0x0000000000A30000-0x0000000000C7B000-memory.dmp

Filesize
2.3MB

Download
memory/220-132-0x0000000000000000-mapping.dmp

Download
memory/220-137-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/220-133-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/776-146-0x0000000039300000-0x0000000039377000-memory.dmp

Filesize
476KB

Download
memory/944-151-0x0000000000000000-mapping.dmp

Download
memory/2192-153-0x0000000000000000-mapping.dmp

Download
memory/3164-149-0x0000000000000000-mapping.dmp

Download
memory/3980-152-0x0000000000000000-mapping.dmp

Download
memory/4080-140-0x0000000000000000-mapping.dmp

Download
memory/4080-145-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/4104-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads