5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146

General

Target

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Size

260KB
MD5

62429d650d4228fcced6b458eb63e91a
SHA1

e844029fc1d45047c75dafd5d3b93ec86b431a0d
SHA256

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146
SHA512

2dfe745b97cc746dda87d20073ecaf8818d145444dd5acdf12c386fe5bf3861754cc30c9d8da0852948fae8078335aeaf354c11f1a22e49eed2bf8ca43f01fd8
SSDEEP

6144:HVyRQUrDVjUi3ZAmT2lq70xVP1YTCBlmsFvXXMI:HVy6Ur5VJ70/dME5XXB

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\ \\...\\\u202eﯹ๛\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\GoogleUpdate.exe\" <"	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1728 cmd.exe

pid	process
1728	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\\GoogleUpdate.exe\" >"	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini
File created \systemroot\assembly\GAC_32\Desktop.ini

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini
File created	\systemroot\assembly\GAC_32\Desktop.ini

Suspicious use of SetThreadContext 1 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	pid	process	target process
PID 2016 set thread context of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe

Drops file in Program Files directory 22 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\GoogleUpdate.exe	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@\:@
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

NTFS ADS 19 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@\:@
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

pid	process
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
464

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1368

pid	process
1368

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

pid	process
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	pid	process
Token: SeRestorePrivilege	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Token: SeDebugPrivilege	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Token: SeDebugPrivilege	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Token: SeRestorePrivilege	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeBackupPrivilege	464
Token: SeRestorePrivilege	464
Token: SeSecurityPrivilege	464
Token: SeTakeOwnershipPrivilege	464
Token: SeDebugPrivilege	464

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1368
1368
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1368
1368

pid	process
1368
1368

pid	process
1368
1368

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe

description	pid	process	target process
PID 2016 wrote to memory of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe
PID 2016 wrote to memory of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe
PID 2016 wrote to memory of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe
PID 2016 wrote to memory of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe
PID 2016 wrote to memory of 1728	2016	5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe
"C:\Users\Admin\AppData\Local\Temp\5fedbc3b71195496fc6aebff9d06997c0540ee7a6a8570c86ead9551fddaf146.exe"
1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Deletes itself
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\ \...\‮ﯹ๛\{d4e37f8e-5af0-9b64-e86d-0830097e992e}\@
Filesize
2KB

MD5
1ba1f75efc9a1c2d119a5c8a67a58b96

SHA1
9d9bdd42027871bcc8b9b763b3785f7dfd15ee87

SHA256
966303e92581e2f62785ff42744f56a74c23dcf61810ac2257abb983986ba244

SHA512
ab4810c5c38b95028007dd5c4914c54a4d58a6711dc6885861b20f609438b9e0d415e7cf5c34d0322e18d31a16259dd7edfedf4519f8b810eb8c7a9a2a8268e9

Download Submit
memory/464-58-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/464-62-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/1368-57-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/1368-63-0x000007FEF6600000-0x000007FEF6743000-memory.dmp

Filesize
1.3MB

Download
memory/1368-64-0x000007FEA1A10000-0x000007FEA1A1A000-memory.dmp

Filesize
40KB

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/2016-56-0x0000000002320000-0x0000000002341000-memory.dmp

Filesize
132KB

Download
memory/2016-60-0x0000000002320000-0x0000000002341000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads