6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/06/2023, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Size

6.9MB
MD5

007a67bfa732084b3f8278b302bef49e
SHA1

50c48db4fdcb0b4d464ec5fcfee2ebd7b8405e1c
SHA256

6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d
SHA512

f21d38109c4cf71dc117c921c35cc3fae19cc9add86963f323a2d5714eb7e6eb69179d8f530a70bd58fabb9692a1a0a5a38da29b3d51ed9572b98e9ecaf55b34
SSDEEP

98304:R+fSMIs21u7XMp6d2/PkBfwYC6+6Jo66DRZ6pZzhlkLTt29s4C1eH9G:R+ftIs0u7H2HkZwI9DwRZWmTt5o9G

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	2036	rundll32.exe
7	2036	rundll32.exe
8	2036	rundll32.exe
11	2036	rundll32.exe
12	2036	rundll32.exe
13	2036	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	Installer.RemoteDesktopManager.2022.3.35.0.exe
1720	Installer.RemoteDesktopManager.2022.3.35.0.tmp

Loads dropped DLL 4 IoCs

pid	Process
1340	Installer.RemoteDesktopManager.2022.3.35.0.exe
1480	explorer.exe
1292	Process not Found
2036	rundll32.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocServer32	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocServer32\ = "C:\\Users\\Public\\Libraries\\prxyms1077714946.dll"	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\International\Geo	rundll32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocServer32	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InprocServer32\ = "C:\\Users\\Public\\Libraries\\prxyms1077714946.dll"	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\CLSID	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1480	explorer.exe
1720	Installer.RemoteDesktopManager.2022.3.35.0.tmp

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: 33	976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	976	AUDIODG.EXE
Token: 33	976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	976	AUDIODG.EXE
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe
Token: SeShutdownPrivilege	1480	explorer.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe
1480	explorer.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1628 wrote to memory of 1340	1628	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe	27
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1340 wrote to memory of 1720	1340	Installer.RemoteDesktopManager.2022.3.35.0.exe	28
PID 1480 wrote to memory of 2036	1480	explorer.exe	32
PID 1480 wrote to memory of 2036	1480	explorer.exe	32
PID 1480 wrote to memory of 2036	1480	explorer.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe
"C:\Users\Admin\AppData\Local\Temp\6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d.exe"
1⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
  C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\is-B8ABJ.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-B8ABJ.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp" /SL5="$70126,832512,832512,C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1720

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Users\Public\Libraries\netid1077714946.dll0,Main netid1077714946.dll0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies Control Panel
  PID:2036

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-B8ABJ.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp

Filesize
3.1MB

MD5
9b2231506b2a97692f6b9683460880a0

SHA1
226f72dcea4f8c3bfb0bb3dec4e63c2725170568

SHA256
b1b015f3762b4b9bfce928401a3b13beee5fb70c989b97a03d57545fc00a1978

SHA512
1b5be819d361fd2321b4407f1d5e56123b497848e2dfd337783b30fb9ab3c0f6a2abd7cb6ed03e3abf886ae47d76134f8d3f1f5b1de57056c6d8901dae533546

Download Submit
C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe

Filesize
1.6MB

MD5
ffdcae3b31803a83e3818714d343a975

SHA1
b52678a98201be08c5ce65c181a56f1959c8698c

SHA256
c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3

SHA512
e1ae4c98ccdbfe9dd2d234bda77c3098992512fcebb4e4e275e71359925ab5ac5bb11a52cd6d30903b3b910d962c967bda03e2eb40d73dfef7ff9d4c5e2e86bc

Download Submit
C:\Users\Public\Libraries\Installer.RemoteDesktopManager.2022.3.35.0.exe

Filesize
1.6MB

MD5
ffdcae3b31803a83e3818714d343a975

SHA1
b52678a98201be08c5ce65c181a56f1959c8698c

SHA256
c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3

SHA512
e1ae4c98ccdbfe9dd2d234bda77c3098992512fcebb4e4e275e71359925ab5ac5bb11a52cd6d30903b3b910d962c967bda03e2eb40d73dfef7ff9d4c5e2e86bc

Download Submit
C:\Users\Public\Libraries\netid1077714946.dll0

Filesize
2.6MB

MD5
6f47723e5fc6e96ab5e9f96f6bc585fa

SHA1
04e3be2ff570eb1a479925560103af5d22961983

SHA256
0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a

SHA512
08a56a06e12a23ffdfc1eeed274bba2c1cee86270e6460114cc20355f05d27d99e92a0ea680a2f257675d6c368dfc72a41b901a837c85a505b1b87acae5d9e96

Download Submit
C:\Users\Public\Libraries\prxyms1077714946.dll

Filesize
2.5MB

MD5
69072084fcad54dcdc386f6b8b591bc8

SHA1
e267e26db077a72f6ca8322993a55038b147c408

SHA256
65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

SHA512
238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

Download Submit
C:\Users\Public\Libraries\update.conf

Filesize
260B

MD5
28a0d58b4a89faa60470a2989c1ea486

SHA1
ee242f7bc26e49f974d31e3b9e9b0e8e733a8199

SHA256
a30648b9f2d9035eefb26fc0cd7e3663957e7fd883250e5a06ccfc98d5e1c240

SHA512
1dbe732ed86e773fe405f1f71325faf3f57f4d3802dabbae2382f141b6e1e18ddb2b789339a9c2f9d420455a4fa11dd5193b49b406de9facd5bae3fcdcd35554

Download Submit
\Users\Admin\AppData\Local\Temp\is-B8ABJ.tmp\Installer.RemoteDesktopManager.2022.3.35.0.tmp

Filesize
3.1MB

MD5
9b2231506b2a97692f6b9683460880a0

SHA1
226f72dcea4f8c3bfb0bb3dec4e63c2725170568

SHA256
b1b015f3762b4b9bfce928401a3b13beee5fb70c989b97a03d57545fc00a1978

SHA512
1b5be819d361fd2321b4407f1d5e56123b497848e2dfd337783b30fb9ab3c0f6a2abd7cb6ed03e3abf886ae47d76134f8d3f1f5b1de57056c6d8901dae533546

Download Submit
\Users\Public\Libraries\netid1077714946.dll0

Filesize
2.6MB

MD5
6f47723e5fc6e96ab5e9f96f6bc585fa

SHA1
04e3be2ff570eb1a479925560103af5d22961983

SHA256
0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a

SHA512
08a56a06e12a23ffdfc1eeed274bba2c1cee86270e6460114cc20355f05d27d99e92a0ea680a2f257675d6c368dfc72a41b901a837c85a505b1b87acae5d9e96

Download Submit
\Users\Public\Libraries\prxyms1077714946.dll

Filesize
2.5MB

MD5
69072084fcad54dcdc386f6b8b591bc8

SHA1
e267e26db077a72f6ca8322993a55038b147c408

SHA256
65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

SHA512
238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

Download Submit
\Users\Public\Libraries\prxyms1077714946.dll

Filesize
2.5MB

MD5
69072084fcad54dcdc386f6b8b591bc8

SHA1
e267e26db077a72f6ca8322993a55038b147c408

SHA256
65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

SHA512
238925e3936ed079146077da9e969f18da2acbcbe1656f2a0cbf08d35e381fcbfea95c74f4144f206e8b2b3378f6489a8720a8fe349bf17b030ae311f0186438

Download Submit
memory/1340-73-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1340-113-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1340-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1480-75-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1480-114-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/1480-84-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1720-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1720-111-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1720-109-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1720-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1720-74-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download