92183838c519b789fc3bcd6ef1c8d9ad9dbf764947f622cf0370cef1f142cdd5

General

Target

b8906bb02cd6de_JC.exe
Size

274KB
MD5

b8906bb02cd6de1d98a0a7c6c56f7a90
SHA1

c116d654d37562269cadf499c3e46867124c2b1c
SHA256

92183838c519b789fc3bcd6ef1c8d9ad9dbf764947f622cf0370cef1f142cdd5
SHA512

0ce1a03704d50a332e36aad728de0263916667b1eefbdc13dc6c36cbd6fb36d6e8b06ddcb3de41f8c89f0200adf0f149cfbf2701a7f354ad4a660dd3f318dfc1
SSDEEP

6144:zYvZ6brUj+bvqHXSpWr2Kqz83Oad3Jg4PlPDIQ+KLzDDg:zYvEbrUjp3SpWggd3JBPlPDIQ3g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2868	dwmsys.exe
3040	dwmsys.exe

Loads dropped DLL 4 IoCs

pid	Process
2884	b8906bb02cd6de_JC.exe
2884	b8906bb02cd6de_JC.exe
2884	b8906bb02cd6de_JC.exe
2868	dwmsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\open\command\IsolatedCommand = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\runas\command	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\DefaultIcon\ = "%1"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\open	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\open\command	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\DefaultIcon	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\open	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\ = "systemui"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\Content-Type = "application/x-msdownload"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\runas	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\runas\command\IsolatedCommand = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\dwmsys.exe\" /START \"%1\" %*"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\DefaultIcon\ = "%1"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_x86_64\\dwmsys.exe\" /START \"%1\" %*"	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\DefaultIcon	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\open\command	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\runas\command	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell\runas	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\ = "Application"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe\shell	b8906bb02cd6de_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\systemui\shell\runas\command\ = "\"%1\" %*"	b8906bb02cd6de_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.exe	b8906bb02cd6de_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	dwmsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2868	2884	b8906bb02cd6de_JC.exe	28
PID 2884 wrote to memory of 2868	2884	b8906bb02cd6de_JC.exe	28
PID 2884 wrote to memory of 2868	2884	b8906bb02cd6de_JC.exe	28
PID 2884 wrote to memory of 2868	2884	b8906bb02cd6de_JC.exe	28
PID 2868 wrote to memory of 3040	2868	dwmsys.exe	29
PID 2868 wrote to memory of 3040	2868	dwmsys.exe	29
PID 2868 wrote to memory of 3040	2868	dwmsys.exe	29
PID 2868 wrote to memory of 3040	2868	dwmsys.exe	29

C:\Users\Admin\AppData\Local\Temp\b8906bb02cd6de_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b8906bb02cd6de_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe"
    3⤵
    - Executes dropped EXE
    PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SysWOW_x86_64\dwmsys.exe

Filesize
274KB

MD5
85982096e2e8a4bebff22f3b54669abb

SHA1
730edba30b234916839fc246344c6a5dc94faefc

SHA256
4a6586b7694ec154843cb003a072965d53f1d97e89b09515f1f9527e7913e357

SHA512
f2390a4488be130ad7169e377d3d2745da28d54bbc03a4a320248b9e5fd59315f0eda06ccf0f22579eba13c30e799b077075d7bd9c661209a71630d90739d264

Download Submit

Analysis

Sharing