18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d

General

Target

18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Size

360KB
MD5

1a6a48789f351461e05a0ca047049490
SHA1

2ce8a5d5ee4a2dfcb0008915a6dde76e8f86a147
SHA256

18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d
SHA512

2af1148b7b7aca71a53c693a38db63d4513c3d6844eff2d0fb59102a0e93228c59dd8af8fef283506a18ab45b27ef424efc1751d67890b819a4b102c95e70a99
SSDEEP

6144:N9fryZqCvQVx6msZDy/dVSp24rzGgEE+bVRjYGfGSAr+59YQOQWI:NJryZdv66mIDy/d46gEEoTjYGfGSdTpd

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4868	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1620	1696	WerFault.exe	77
4336	1696	WerFault.exe	77

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\DefaultIcon	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18E681~1.EXE /p \"%1\""	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\printto	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.s\ShellNew\NullFile	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\open	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\print\command	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\print	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.s	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18E681~1.EXE,0"	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\open\command	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18E681~1.EXE \"%1\""	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18E681~1.EXE /pt \"%1\" \"%2\" \"%3\" \"%4\""	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.s\ = "S9.Document"	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\ = "S9 Document"	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\S9.Document\shell\printto\command	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.s\ShellNew	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3500	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	79
PID 1696 wrote to memory of 3500	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	79
PID 1696 wrote to memory of 3500	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	79
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 1696 wrote to memory of 4868	1696	18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe	80
PID 3500 wrote to memory of 4844	3500	cmd.exe	83
PID 3500 wrote to memory of 4844	3500	cmd.exe	83
PID 3500 wrote to memory of 4844	3500	cmd.exe	83
PID 4844 wrote to memory of 4084	4844	net.exe	85
PID 4844 wrote to memory of 4084	4844	net.exe	85
PID 4844 wrote to memory of 4084	4844	net.exe	85

C:\Users\Admin\AppData\Local\Temp\18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
"C:\Users\Admin\AppData\Local\Temp\18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:4084
- C:\Users\Admin\AppData\Local\Temp\18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
  C:\Users\Admin\AppData\Local\Temp\18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 260
  2⤵
  - Program crash
  PID:1620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 260
  2⤵
  - Program crash
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1696 -ip 1696
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1696 -ip 1696
1⤵
PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d.exe

Filesize
360KB

MD5
1a6a48789f351461e05a0ca047049490

SHA1
2ce8a5d5ee4a2dfcb0008915a6dde76e8f86a147

SHA256
18e681b5faa44d56f54a0265f4ae544045c6cd0d54fd80dc02deb6818b48769d

SHA512
2af1148b7b7aca71a53c693a38db63d4513c3d6844eff2d0fb59102a0e93228c59dd8af8fef283506a18ab45b27ef424efc1751d67890b819a4b102c95e70a99

Download Submit
memory/1696-132-0x0000000000710000-0x0000000000714000-memory.dmp

Filesize
16KB

Download
memory/3500-133-0x0000000000000000-mapping.dmp

Download
memory/4084-139-0x0000000000000000-mapping.dmp

Download
memory/4844-138-0x0000000000000000-mapping.dmp

Download
memory/4868-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4868-134-0x0000000000000000-mapping.dmp

Download
memory/4868-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing