a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

General

Target

a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Size

164KB
MD5

16217888a5b9d3c1d118cc0ae0ea2e00
SHA1

5b2618b99d256e35c87cbffa81dfbb3f54ded978
SHA256

a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe
SHA512

9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1
SSDEEP

1536:oz3McnjKk9gil9Lo/wjkHKQASMdzJaGAfXuUVjbzbL/:WJrdcwQHVAS4zRaXuQvf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1952	services437.exe
4540	services437.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	services437.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	services437.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	services437.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	services437.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services437.exe"	services437.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 1952 set thread context of 4540	1952	services437.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4540	services437.exe
4540	services437.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	services437.exe
Token: SeDebugPrivilege	4540	services437.exe
Token: SeDebugPrivilege	4540	services437.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 4032 wrote to memory of 2592	4032	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	80
PID 2592 wrote to memory of 1952	2592	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	81
PID 2592 wrote to memory of 1952	2592	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	81
PID 2592 wrote to memory of 1952	2592	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	81
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 1952 wrote to memory of 4540	1952	services437.exe	84
PID 4540 wrote to memory of 2404	4540	services437.exe	67
PID 4540 wrote to memory of 2404	4540	services437.exe	67

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
"C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
  "C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe"
  2⤵
  - Adds Run key to start application
  - Modifies WinLogon
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Roaming\Microsoft\services437.exe
    -n
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Roaming\Microsoft\services437.exe
      -n
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Modifies WinLogon
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\services437.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services437.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services437.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
memory/1952-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1952-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2592-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2592-138-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2592-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2592-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4032-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4032-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4540-150-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4540-151-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads