f6b889372577c64227b230609e8404d4629288ec1ae4df7376d6005361d3d69a

General

Target

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
Size

614KB
MD5

5a2b7e55e12b6be111413e81cbc829d8
SHA1

feee5eea1ba33a666fb61f876c80230d97ba8b47
SHA256

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
SHA512

9e1c78e83a0c4342cf4f560eb4c81c3a7ca52f360adf594ddc654f9a1f56837b6339da3c2d74a4b525865832d937d181b8f13137c1870b05b87dcf4cfce8fc20
SSDEEP

12288:6rxXmSBr7wHt5c/yq1HcmZCqsyKEJgnzAS6n2jj:6JYvcRd1ZC1XE4MSHf

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	pid	process	target process
PID 1204 set thread context of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1744 1680 WerFault.exe Setup.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

pid process

1204 357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

pid	pid_target	process	target process
1744	1680	WerFault.exe	Setup.exe

pid	process
1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	pid	process
Token: SeDebugPrivilege	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
Token: SeLoadDriverPrivilege	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exeSetup.exe

description	pid	process	target process
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1204 wrote to memory of 1680	1204	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Setup.exe
PID 1680 wrote to memory of 1744	1680	Setup.exe	WerFault.exe
PID 1680 wrote to memory of 1744	1680	Setup.exe	WerFault.exe
PID 1680 wrote to memory of 1744	1680	Setup.exe	WerFault.exe
PID 1680 wrote to memory of 1744	1680	Setup.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
"C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 304
3⤵
- Program crash
PID:1744

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-54-0x0000000000C60000-0x0000000000CFC000-memory.dmp

Filesize
624KB

Download
memory/1204-55-0x0000000000570000-0x00000000005F2000-memory.dmp

Filesize
520KB

Download
memory/1680-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-57-0x0000000000403980-mapping.dmp

Download
memory/1680-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1744-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads