2eed2c255a6fc3dacb63b5dfa9bf5173d9685b2e8fc9de34094ad41d3aef61cf

General

Target

ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe
Size

50KB
MD5

9d846bb9fbd2e4ce0a2344b02d535e9c
SHA1

91bb1d20302d740b733d155bd42556038b900380
SHA256

ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07
SHA512

bd07b8443719dafadad2106dceeb5eec060b0606f3b9344495506ddcb40eebbac0b115430efe6b45a87579b120512b4a07e8d1903c11f8291d1712fe35fc1596
SSDEEP

768:7eX7e/XWwa+6NMLh2J84nhRDsMx1zO1fu8iSUKWay0CE5qb4rafuPg:iS/XWwP6NkohRoE1zOFoKWarefuPg

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	564	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe
1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe
Token: SeDebugPrivilege	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe
Token: SeLoadDriverPrivilege	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1656	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	28
PID 1408 wrote to memory of 1656	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	28
PID 1408 wrote to memory of 1656	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	28
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 1408 wrote to memory of 564	1408	ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe	29
PID 564 wrote to memory of 1924	564	SetupUtility.exe	30
PID 564 wrote to memory of 1924	564	SetupUtility.exe	30
PID 564 wrote to memory of 1924	564	SetupUtility.exe	30
PID 564 wrote to memory of 1924	564	SetupUtility.exe	30

C:\Users\Admin\AppData\Local\Temp\ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe
"C:\Users\Admin\AppData\Local\Temp\ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 168
    3⤵
    - Program crash
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/564-59-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/1408-54-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/1408-55-0x000000001B270000-0x000000001B2F0000-memory.dmp

Filesize
512KB

Download
memory/1408-56-0x0000000000690000-0x0000000000708000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing