a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7

General

Target

a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
Size

72KB
MD5

9247d7d71aba8b77b22fd114270cac89
SHA1

6b985e5435752770dff8cec8d5df5ad11fe18593
SHA256

a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7
SHA512

8016d092ace9f9d01852ea6044f0c416ca2c5c243f6b27a57d70f47c9c7f7ce18859c843343623bc21615763ca809b28396dc36afef6f981433b2db6c19a9315
SSDEEP

384:N6wayA+1mwnA353BXR+oGfPmfm4MlcTGXdhjwroyY2rebV5O6KgxWb/83BXR+oGM:NpQNwC3BESe4Vqth+0V5vKlE3BEJwRrJ

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 3 IoCs

pid	Process
4976	backup.exe
3972	backup.exe
1556	backup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
4976	backup.exe
3972	backup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4976	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	83
PID 3440 wrote to memory of 4976	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	83
PID 3440 wrote to memory of 4976	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	83
PID 3440 wrote to memory of 3972	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	85
PID 3440 wrote to memory of 3972	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	85
PID 3440 wrote to memory of 3972	3440	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe	85
PID 4976 wrote to memory of 1556	4976	backup.exe	87
PID 4976 wrote to memory of 1556	4976	backup.exe	87
PID 4976 wrote to memory of 1556	4976	backup.exe	87

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe

C:\Users\Admin\AppData\Local\Temp\a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe
"C:\Users\Admin\AppData\Local\Temp\a333fcb56dc821bf692749acb699ad94de6da5df821d92cd5871f75b310390b7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3440
- C:\Users\Admin\AppData\Local\Temp\1000009657\backup.exe
  C:\Users\Admin\AppData\Local\Temp\1000009657\backup.exe C:\Users\Admin\AppData\Local\Temp\1000009657\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4976
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe C:\Users\Admin\AppData\Local\Temp\acrocef_low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000009657\backup.exe

Filesize
72KB

MD5
a629a93d0cbc70a3d7c93d8718a161e6

SHA1
f100e245623a328bffbd87d6ecf84dfe926ab054

SHA256
5ab3456cbbc5670723c2e30f38daeb76b57e7cc777263424f65665c9163d120e

SHA512
e1700f95449f14ab0e6382f586f1f9f2a33a70d753e3ba28d5eec04dda9585ebeffc861ea956f5963f89bfb02fd29d9ac133c30f6a744672d5c926a65502cfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009657\backup.exe

Filesize
72KB

MD5
a629a93d0cbc70a3d7c93d8718a161e6

SHA1
f100e245623a328bffbd87d6ecf84dfe926ab054

SHA256
5ab3456cbbc5670723c2e30f38daeb76b57e7cc777263424f65665c9163d120e

SHA512
e1700f95449f14ab0e6382f586f1f9f2a33a70d753e3ba28d5eec04dda9585ebeffc861ea956f5963f89bfb02fd29d9ac133c30f6a744672d5c926a65502cfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bc2bac35a1ded405de1096c68fbba208

SHA1
80bd197b1b03a7ec93b11cfd07e8c40751c72118

SHA256
ffbf4bcd280312944a4215fb905242c4c8be29b6f65efd2b8b59e8414294da35

SHA512
393b636490ca0279382a8ad01d333ddef94a4b52ee35050983a5b92b8b37836b02631f2229f4aff1febcc2a3cb432a7109c3bbd10d9c8ad2476e884484d412cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low\backup.exe

Filesize
72KB

MD5
bc2bac35a1ded405de1096c68fbba208

SHA1
80bd197b1b03a7ec93b11cfd07e8c40751c72118

SHA256
ffbf4bcd280312944a4215fb905242c4c8be29b6f65efd2b8b59e8414294da35

SHA512
393b636490ca0279382a8ad01d333ddef94a4b52ee35050983a5b92b8b37836b02631f2229f4aff1febcc2a3cb432a7109c3bbd10d9c8ad2476e884484d412cf

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9d45c529aac5e730cf39f282e1a16945

SHA1
81857f16dc313d905aafcedd2923bf56f79b0d16

SHA256
f3cd053d1f09f134bd85cfd71e3a480cd3371602f14dd69d8f5bc773f2f963bb

SHA512
e16d922f1917fb7bc59f2cbf230fd9992fc73dc98d6306302e761b87472712e82b6492fffa38ca5b3480920eadcf269d4275b80f0130b572ea3679f5b8c02d29

Download Submit
C:\backup.exe

Filesize
72KB

MD5
9d45c529aac5e730cf39f282e1a16945

SHA1
81857f16dc313d905aafcedd2923bf56f79b0d16

SHA256
f3cd053d1f09f134bd85cfd71e3a480cd3371602f14dd69d8f5bc773f2f963bb

SHA512
e16d922f1917fb7bc59f2cbf230fd9992fc73dc98d6306302e761b87472712e82b6492fffa38ca5b3480920eadcf269d4275b80f0130b572ea3679f5b8c02d29

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads