12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139

General

Target

12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe
Size

140KB
MD5

e05c617916fa14f40f7d2d7252ce58ba
SHA1

92c415f627b3f5fa6d4ccfca5b73ada7ec993e61
SHA256

12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139
SHA512

0c52b9f14e96e3bf01d95076219f6c8337e5bd40cc9bc56f1fd7bc45fe3f2165b5f25325b312ddc88b782f05a8c9d4200f30c5c71ca39c42da4742bfd35172ef
SSDEEP

1536:jLe2G4hiyrKfU0B296MAkgu8cBjFouoGNWAD5v2i9l4hT:OEhiy2fR0UMANYoufIAcySh

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google = "C:\\Users\\Admin\\AppData\\Roaming\\abgjtdcv\\wuivtsru.exe"	svchost.exe

Deletes itself 1 IoCs

pid	Process
1240	svchost.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe
1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 2020 wrote to memory of 1184	2020	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	28
PID 1184 wrote to memory of 1240	1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	29
PID 1184 wrote to memory of 1240	1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	29
PID 1184 wrote to memory of 1240	1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	29
PID 1184 wrote to memory of 1240	1184	12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe	29

C:\Users\Admin\AppData\Local\Temp\12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe
"C:\Users\Admin\AppData\Local\Temp\12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe
  "C:\Users\Admin\AppData\Local\Temp\12cfe9977cd669018236d56c3bbb46139039a8b346e6c6efac04604ef7dee139.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Deletes itself
    PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1184-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1184-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1184-61-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1240-62-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1240-63-0x00000000000F0000-0x00000000000F8000-memory.dmp

Filesize
32KB

Download
memory/1240-64-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/1240-65-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/1240-66-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing