c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e

General

Target

c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Size

368KB
MD5

57945b8ce75c97ea99c38c5777e974da
SHA1

77e4943699d40eddf11d17b51c7dd3b58e1dd400
SHA256

c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e
SHA512

02d85bf64341e0214ba8a9aeed0481365f4876bdabee7cb98d365ca668e7976120ccb8b1e87f77e5bac31b8c6e7633a9d5c23a7aa6a319009e6faa677698e5f7
SSDEEP

6144:B6AS148eFyo7Y+OcZklufFNR7O2Vp36zUIYxwrAAQYmeynXluXW:/S1480yo7BuOFD7rgzUOcAQ5vXU

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocks application from running via registry modification 7 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "cmd.exe"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "mmc.exe"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "rstrui.exe"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "regedit.exe"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "regedt32.exe"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "0"	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrameWorkService	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FrameWorkService	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\k:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\m:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\s:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\x:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\f:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\g:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\h:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\y:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\u:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\z:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\n:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\o:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\p:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\v:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\e:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\i:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\t:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\w:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\l:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\q:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened (read-only)	\??\r:	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sexy Girls.scr	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Inf\smss.exe	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
File opened for modification	C:\Windows\Inf\smss.exe	c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe

C:\Users\Admin\AppData\Local\Temp\c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe
"C:\Users\Admin\AppData\Local\Temp\c564794db702720d4f036ed767b03ddbe014ffe6932e187146dfdf7797a4ef4e.exe"
1⤵
- Blocks application from running via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-132-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2700-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing