e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485

General

Target

e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe
Size

157KB
MD5

179b6f8293556dda8dd4618686646af0
SHA1

9da30ce49f793e41b7f7cfb1d35a18b293b151a2
SHA256

e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485
SHA512

14f20aded7f0f03c3a2609b8b3e2cfcd0efbf205504792ed9bd9d960fdca7a5d240b5bb04ce945ffe6ab733373b5b23409d446fd8283607619cfe98f1215171a
SSDEEP

1536:gkWbhgW5o1oS4l1TfG8Umu3/IdsGmPIxl8F4L0a8fcqQA65Oi:FW+1oS4l5OeuQdrmwvL8EqQA65Oi

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\24275 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\cciadkyhv.pif"	msiexec.exe

Blocklisted process makes network request 25 IoCs

flow	pid	Process
3	956	msiexec.exe
4	956	msiexec.exe
5	956	msiexec.exe
6	956	msiexec.exe
7	956	msiexec.exe
8	956	msiexec.exe
9	956	msiexec.exe
10	956	msiexec.exe
11	956	msiexec.exe
12	956	msiexec.exe
13	956	msiexec.exe
14	956	msiexec.exe
15	956	msiexec.exe
16	956	msiexec.exe
17	956	msiexec.exe
18	956	msiexec.exe
19	956	msiexec.exe
20	956	msiexec.exe
21	956	msiexec.exe
22	956	msiexec.exe
23	956	msiexec.exe
24	956	msiexec.exe
25	956	msiexec.exe
26	956	msiexec.exe
27	956	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\cciadkyhv.pif	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe
1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 2040 wrote to memory of 1664	2040	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	28
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29
PID 1664 wrote to memory of 956	1664	e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe	29

C:\Users\Admin\AppData\Local\Temp\e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe
"C:\Users\Admin\AppData\Local\Temp\e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe
  "C:\Users\Admin\AppData\Local\Temp\e7da4b735f0ad0e57923ef9a0a69a4849b9bdefac0e5d36bfc9fdcfed34c6485.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\syswow64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-63-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/956-64-0x0000000000BF0000-0x0000000000C04000-memory.dmp

Filesize
80KB

Download
memory/956-65-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/956-66-0x00000000000C0000-0x00000000000C5000-memory.dmp

Filesize
20KB

Download
memory/1664-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1664-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1664-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1664-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1664-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing