8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304

General

Target

8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe
Size

4.4MB
MD5

9b414b7d91b67f019b3a63382dfd666a
SHA1

1350417b0c8dc74f7efb5d862e96f115adf3e995
SHA256

8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304
SHA512

b75246b5cd941317345e3abae022c041ed69c520f7ed505344d327dc466f8f66e97c27f51e9db6520e1efd1f47404b786387a31b8ee45344b73a0852f9813fd4
SSDEEP

98304:L/mrHQktlw2Kce0t+JhVWn2xxjsAIzsQlA67LVN:L43tlKXjXWnA3IznF

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe
4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updaters = "rundll32 C:\\Users\\Public\\AtomLdr.dll,Atom"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1816	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4520	3644	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	83
PID 3644 wrote to memory of 4520	3644	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	83
PID 4520 wrote to memory of 3736	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	84
PID 4520 wrote to memory of 3736	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	84
PID 3736 wrote to memory of 1816	3736	cmd.exe	86
PID 3736 wrote to memory of 1816	3736	cmd.exe	86
PID 4520 wrote to memory of 4492	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	87
PID 4520 wrote to memory of 4492	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	87
PID 4492 wrote to memory of 1848	4492	cmd.exe	89
PID 4492 wrote to memory of 1848	4492	cmd.exe	89
PID 4520 wrote to memory of 1924	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	91
PID 4520 wrote to memory of 1924	4520	8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe	91
PID 1924 wrote to memory of 3344	1924	cmd.exe	93
PID 1924 wrote to memory of 3344	1924	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe
"C:\Users\Admin\AppData\Local\Temp\8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe
  "C:\Users\Admin\AppData\Local\Temp\8b24c35a9543f25a7d45ea63e8e45389d94d3a84162d7d720b0e1edab4f5b304.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /sc daily /st 11:00 /tn Updaters /tr "rundll32 C:\Users\Public\AtomLdr.dll,Atom" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc daily /st 11:00 /tn Updaters /tr "rundll32 C:\Users\Public\AtomLdr.dll,Atom" /f
      4⤵
      Creates scheduled task(s)
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /run /tn Updaters"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\system32\schtasks.exe
      schtasks /run /tn Updaters
      4⤵
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v updaters /t REG_SZ /d "rundll32 C:\Users\Public\AtomLdr.dll,Atom""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v updaters /t REG_SZ /d "rundll32 C:\Users\Public\AtomLdr.dll,Atom"
      4⤵
      Adds Run key to start application
      PID:3344

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE C:\Users\Public\AtomLdr.dll,Atom
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI36442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36442\base_library.zip

Filesize
994KB

MD5
48123883603eb89419b9812a52e2a0a9

SHA1
baf8042fd896424804a977dfe4e48d6e0acd445f

SHA256
7cb0a3552fd70948b1664432e442d601d7d2a446b9163aaa1e79eaf1307b7f8e

SHA512
d497f8022435a76e45ef034fb5964d1d38ab32d4c100101a77689d5de85615732f9ac640a89a4c21d61c5bb3ed7d3d8b22379fa4a643fec35100134bad9ad8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36442\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36442\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads