22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55

General

Target

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
Size

700.4MB
MD5

96319a877bcdee0b4788a88b69b1f215
SHA1

6e1645c605965b20fab6775c0b676401cbbff00d
SHA256

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55
SHA512

b2fcfe7a1a75b24323ba0ff96821c1561932f0c06136c4100b05eddfd667f9aecf6d488eed12c8cda52c2d9789d9120a24b7e16fc90b2c75d521563211c302c8
SSDEEP

6144:/EopXhSxHralFw1nXEjb5QM0Pq5Ml2QOyAm2c84fHNArD7V/2c84fH:2rkSnXEjupPa1QdAm2lgNCDx/2lg

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\nvmcache\\raadmin.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

raadmin.exe

pid process

1148 raadmin.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1992 cmd.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

996 PING.EXE
1232 PING.EXE
584 PING.EXE

pid	process
1148	raadmin.exe

pid	process
1992	cmd.exe

pid	process
996	PING.EXE
1232	PING.EXE
584	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exeraadmin.exe

pid	process
1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
1148	raadmin.exe
1148	raadmin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exeraadmin.exe

description	pid	process
Token: SeDebugPrivilege	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
Token: SeDebugPrivilege	1148	raadmin.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.execmd.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 1344	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1344	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1344	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1344	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1344 wrote to memory of 996	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 996	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 996	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 996	1344	cmd.exe	PING.EXE
PID 1932 wrote to memory of 1992	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1992	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1992	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1932 wrote to memory of 1992	1932	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1992 wrote to memory of 1232	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1232	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1232	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1232	1992	cmd.exe	PING.EXE
PID 1344 wrote to memory of 824	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 824	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 824	1344	cmd.exe	reg.exe
PID 1344 wrote to memory of 824	1344	cmd.exe	reg.exe
PID 1992 wrote to memory of 584	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 584	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 584	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 584	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1148	1992	cmd.exe	raadmin.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	raadmin.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	raadmin.exe
PID 1992 wrote to memory of 1148	1992	cmd.exe	raadmin.exe

C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
"C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 58 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 58
3⤵
- Runs ping.exe
PID:996

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe,"
3⤵
- Modifies WinLogon for persistence
PID:824

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 57 > nul && copy "C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe" "C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe" && ping 127.0.0.1 -n 57 > nul && "C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 57
3⤵
- Runs ping.exe
PID:1232

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 57
3⤵
- Runs ping.exe
PID:584

C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe
"C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe

Filesize
124.9MB

MD5
f1c2dfde5f67ea6f475bfccf4b685d1e

SHA1
13e0a7899225cf82ceac4ee4d1106a33d7213b8f

SHA256
cbc2e3d5dd56efa79331fae589946f0fd9b351a220af09516a5157f89dad0963

SHA512
8fc5789dd2f8b457dbb734c5068059c8e1f4497d2396a917e20f161ba51ccc17c28ec14fa72bbb700cb22d3b654c85a0f5a0850456a888c0a990682d7cf3c031

Download Submit
C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe

Filesize
110.8MB

MD5
1ccc780041fbc4eb698d91cdd9ed11ed

SHA1
53b28e9bc7b0cbe5f0bd560e33ab24fa3ed0c34b

SHA256
34379ddfc730cab2b4aeeafb0f76ea4699cf54fd3174c747ece913603b17703d

SHA512
7b513be0b3692a46e3be02b4abb6627d802d149fefab418f7fcc15e80b76243614859f47a35052f1d8b8ba87719041122a894899ccf5d41a76db35e52277e6ec

Download Submit
\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe

Filesize
87.6MB

MD5
74edd42b463d627c26b759eeaee1bf00

SHA1
72ba590aa21ec52d3c3f905be7dd2925addd2079

SHA256
df0426df83deb881669722e33dce383e1be6c47631f589273f7689c42c920b62

SHA512
1108a57571221644e55af07b9c6433a609ff8e45e69679e4a728b2efce78add7edb073510ec0fe365f5b0fc2f7f5072fe3d65c1b9327b687a7da24259d2e8be0

Download Submit
memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/824-62-0x0000000000000000-mapping.dmp

Download
memory/996-59-0x0000000000000000-mapping.dmp

Download
memory/1148-68-0x0000000000200000-0x0000000000284000-memory.dmp

Filesize
528KB

Download
memory/1148-65-0x0000000000000000-mapping.dmp

Download
memory/1232-61-0x0000000000000000-mapping.dmp

Download
memory/1344-58-0x0000000000000000-mapping.dmp

Download
memory/1932-57-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

Filesize
96KB

Download
memory/1932-54-0x00000000012F0000-0x0000000001374000-memory.dmp

Filesize
528KB

Download
memory/1932-56-0x0000000000A60000-0x0000000000A90000-memory.dmp

Filesize
192KB

Download
memory/1932-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1992-60-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads