3ab1efbbb6afd2c8a9a182ce719d4198596d2ca24a3aae0c18c21e27cafd3f71

General

Target

44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
Size

8.3MB
MD5

e34a10782d9dac4b81cbc788ac151fe3
SHA1

21516e86b86b245fb6520ae16a69814bfbe9c494
SHA256

44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9
SHA512

304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f
SSDEEP

196608:whTb9B0BPrDz4pxgZZPy5RmStgxb/z6FDiSJXqeUh4mT7:eTb9epDz4MZZ4RmxYDiScfhH

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.lnk	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.lnk	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
1636	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Loads dropped DLL 1 IoCs

pid	Process
1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9 = "C:\\Users\\Admin\\AppData\\Roaming\\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1980	powershell.exe
1860	powershell.exe
812	powershell.exe
1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1496	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1980	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	29
PID 1176 wrote to memory of 1980	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	29
PID 1176 wrote to memory of 1980	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	29
PID 1176 wrote to memory of 1980	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	29
PID 1176 wrote to memory of 1860	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	31
PID 1176 wrote to memory of 1860	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	31
PID 1176 wrote to memory of 1860	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	31
PID 1176 wrote to memory of 1860	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	31
PID 1176 wrote to memory of 812	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	33
PID 1176 wrote to memory of 812	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	33
PID 1176 wrote to memory of 812	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	33
PID 1176 wrote to memory of 812	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	33
PID 1176 wrote to memory of 1664	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	35
PID 1176 wrote to memory of 1664	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	35
PID 1176 wrote to memory of 1664	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	35
PID 1176 wrote to memory of 1664	1176	44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe	35
PID 1152 wrote to memory of 1496	1152	taskeng.exe	38
PID 1152 wrote to memory of 1496	1152	taskeng.exe	38
PID 1152 wrote to memory of 1496	1152	taskeng.exe	38
PID 1152 wrote to memory of 1496	1152	taskeng.exe	38
PID 1152 wrote to memory of 1636	1152	taskeng.exe	39
PID 1152 wrote to memory of 1636	1152	taskeng.exe	39
PID 1152 wrote to memory of 1636	1152	taskeng.exe	39
PID 1152 wrote to memory of 1636	1152	taskeng.exe	39

C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
"C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9" /tr "C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {0636E5C7-F3EA-4216-A44D-B898EC62B772} S-1-5-21-3297628651-743815474-1126733160-1000:HHVWDVKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
  C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
  C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe
  2⤵
  - Executes dropped EXE
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
3.4MB

MD5
0e6eed571d2cd71bbad122530836a1ae

SHA1
05902c24522589fd996c82728886cb3cc5ee9edd

SHA256
9cedb0449c19c9e91670e2ca631322ed2d1c06b8304cfd9251c36c295bb1df9a

SHA512
1860711b296d35fa7560072858d004d902462ee0cce04ca3abeddc188ae8d5d4702f74835b58ab7c9b4a1f26765803521bc3d530d405c260b659fb716fc6843b

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7C0ZM8MQR31P7Z6CV6MV.temp

Filesize
7KB

MD5
91532e03edc1b9c6cf34e03a1c6bc5b4

SHA1
00783d59a9212fc7f715183293b80e48b614904b

SHA256
6390af3c23f6e9f07e9d1331488479ba39eaacb8d70a194a17fd31431b948bc4

SHA512
d5a97242eef33c51886c9c4690dd2227ee2c03e9dc737b0c5ead365e3043e0ed584a33b343dcd754c833de7c121557b2d4ad7c9729f11b292dedf68842c1f596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
91532e03edc1b9c6cf34e03a1c6bc5b4

SHA1
00783d59a9212fc7f715183293b80e48b614904b

SHA256
6390af3c23f6e9f07e9d1331488479ba39eaacb8d70a194a17fd31431b948bc4

SHA512
d5a97242eef33c51886c9c4690dd2227ee2c03e9dc737b0c5ead365e3043e0ed584a33b343dcd754c833de7c121557b2d4ad7c9729f11b292dedf68842c1f596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
91532e03edc1b9c6cf34e03a1c6bc5b4

SHA1
00783d59a9212fc7f715183293b80e48b614904b

SHA256
6390af3c23f6e9f07e9d1331488479ba39eaacb8d70a194a17fd31431b948bc4

SHA512
d5a97242eef33c51886c9c4690dd2227ee2c03e9dc737b0c5ead365e3043e0ed584a33b343dcd754c833de7c121557b2d4ad7c9729f11b292dedf68842c1f596

Download Submit
\Users\Admin\AppData\Roaming\44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9.exe

Filesize
8.3MB

MD5
e34a10782d9dac4b81cbc788ac151fe3

SHA1
21516e86b86b245fb6520ae16a69814bfbe9c494

SHA256
44de3cda2390b20b694a4121a3fcf1f940e2c5d50e5bcb8f13ce975c7fc962d9

SHA512
304a811b7608bd0da73e8f75c2c1b886b0cdc656e54993daf5c00b64622e6482cc8581e80fbdf8a4d8c8dcffe6053bec6a85354ccddbf3cfc5b63570340aac1f

Download Submit
memory/1176-62-0x0000000000E70000-0x0000000000E96000-memory.dmp

Filesize
152KB

Download
memory/1176-54-0x00000000000C0000-0x0000000000906000-memory.dmp

Filesize
8.3MB

Download
memory/1176-65-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/1176-66-0x0000000008370000-0x0000000008378000-memory.dmp

Filesize
32KB

Download
memory/1176-67-0x0000000008DB0000-0x0000000008DB6000-memory.dmp

Filesize
24KB

Download
memory/1176-68-0x0000000008FE0000-0x0000000008FE6000-memory.dmp

Filesize
24KB

Download
memory/1176-69-0x0000000008FF0000-0x0000000009008000-memory.dmp

Filesize
96KB

Download
memory/1176-70-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/1176-55-0x0000000005540000-0x00000000059C8000-memory.dmp

Filesize
4.5MB

Download
memory/1176-56-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download
memory/1176-63-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/1176-64-0x00000000015E0000-0x00000000015FE000-memory.dmp

Filesize
120KB

Download
memory/1176-61-0x0000000002D90000-0x0000000002E06000-memory.dmp

Filesize
472KB

Download
memory/1176-60-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/1176-59-0x0000000006D70000-0x00000000073E8000-memory.dmp

Filesize
6.5MB

Download
memory/1176-58-0x0000000000D90000-0x0000000000DD0000-memory.dmp

Filesize
256KB

Download
memory/1176-57-0x0000000000C90000-0x0000000000CC2000-memory.dmp

Filesize
200KB

Download
memory/1496-98-0x0000000000B30000-0x0000000001376000-memory.dmp

Filesize
8.3MB

Download
memory/1496-99-0x0000000004F90000-0x0000000004FD0000-memory.dmp

Filesize
256KB

Download
memory/1496-100-0x0000000008E70000-0x0000000008E76000-memory.dmp

Filesize
24KB

Download
memory/1496-101-0x0000000008EA0000-0x0000000008EA6000-memory.dmp

Filesize
24KB

Download
memory/1636-103-0x00000000010C0000-0x0000000001906000-memory.dmp

Filesize
8.3MB

Download
memory/1980-74-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1980-73-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads