8051ee3aeb5d48e3971d380b409751f14010ce7f6e2506d461ff27b6a7f7cf81

General

Target

32fa784a8dcbb3exeexeexeex.exe
Size

288KB
MD5

32fa784a8dcbb3b35b3136a19db4c4f9
SHA1

f38049432ac8f5d016e758aa15207b7953252b7a
SHA256

8051ee3aeb5d48e3971d380b409751f14010ce7f6e2506d461ff27b6a7f7cf81
SHA512

b412a26a751d3557309c9888bfb74354331c772fad7c509524c3db03265807637c11736e965336954f9f558bdee062f10f380502a4affc53eca4be36cdd0e884
SSDEEP

6144:LQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:LQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2080	dwmsys.exe
2100	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2352	32fa784a8dcbb3exeexeexeex.exe
2352	32fa784a8dcbb3exeexeexeex.exe
2352	32fa784a8dcbb3exeexeexeex.exe
2080	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\runas\command	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\open	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\ = "systemui"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\ = "Application"	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\runas	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\DefaultIcon\ = "%1"	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\open\command	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\DefaultIcon\ = "%1"	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\open\command	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\open	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\runas	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\DefaultIcon	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\DefaultIcon	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	32fa784a8dcbb3exeexeexeex.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Sys32\\dwmsys.exe\" /START \"%1\" %*"	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell	32fa784a8dcbb3exeexeexeex.exe
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000_CLASSES\.exe\shell\runas\command	32fa784a8dcbb3exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2080	2352	32fa784a8dcbb3exeexeexeex.exe	28
PID 2352 wrote to memory of 2080	2352	32fa784a8dcbb3exeexeexeex.exe	28
PID 2352 wrote to memory of 2080	2352	32fa784a8dcbb3exeexeexeex.exe	28
PID 2352 wrote to memory of 2080	2352	32fa784a8dcbb3exeexeexeex.exe	28
PID 2080 wrote to memory of 2100	2080	dwmsys.exe	29
PID 2080 wrote to memory of 2100	2080	dwmsys.exe	29
PID 2080 wrote to memory of 2100	2080	dwmsys.exe	29
PID 2080 wrote to memory of 2100	2080	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\32fa784a8dcbb3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\32fa784a8dcbb3exeexeexeex.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Sys32\dwmsys.exe

Filesize
288KB

MD5
aaeae2e4db36acab69534ed881799cd3

SHA1
ad89861187bf8dfa38d790d666b88547cfc68cad

SHA256
328479fa8de5967e005b6d67bcb9c518a2915486af3f68b7dc44996487c3d424

SHA512
5f1861ad021e2f688f9b00ce07a2a9e0a15c30fde1b319b907e1d70026380558d72f08a44f5fc6729b5db17412064b1c96fbd30a4c6407ac490c69527f8dcc09

Download Submit

Analysis

Sharing