cfe559d136a06224225462f6c71b69fb014236eaa7a8f8d6fdcd539f57d0e6cb

General

Target

NA_NA_2f953be04a4b3dexeexe_JC.exe
Size

280KB
MD5

2f953be04a4b3d4bda010d65c46b4dcd
SHA1

86a23bcb5a2de690005ff9021f9f58d15441f78b
SHA256

cfe559d136a06224225462f6c71b69fb014236eaa7a8f8d6fdcd539f57d0e6cb
SHA512

4a59e1ef1d22cc548e0325188fb1cc454d64a22a37b14efacf3942201dd74a9f6aa2f5e1a7e5b95eb87e0462cc71228d56e3139a81e2da4c0bf764a41fa03b7b
SSDEEP

6144:JQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:JQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2132	sidebar2.exe
2396	sidebar2.exe

Loads dropped DLL 3 IoCs

pid	Process
2216	NA_NA_2f953be04a4b3dexeexe_JC.exe
2216	NA_NA_2f953be04a4b3dexeexe_JC.exe
2216	NA_NA_2f953be04a4b3dexeexe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\runas\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\sidebar2.exe\" /START \"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\runas	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\ = "Application"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\open	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\XMMC\\sidebar2.exe\" /START \"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\DefaultIcon	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\DefaultIcon\ = "%1"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\Content-Type = "application/x-msdownload"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\DefaultIcon\ = "%1"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\runas	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\open\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\runas\command\ = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\open	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\runas\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\DefaultIcon	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\prochost\shell\open\command	NA_NA_2f953be04a4b3dexeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\ = "prochost"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	NA_NA_2f953be04a4b3dexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	NA_NA_2f953be04a4b3dexeexe_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	sidebar2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2132	2216	NA_NA_2f953be04a4b3dexeexe_JC.exe	28
PID 2216 wrote to memory of 2132	2216	NA_NA_2f953be04a4b3dexeexe_JC.exe	28
PID 2216 wrote to memory of 2132	2216	NA_NA_2f953be04a4b3dexeexe_JC.exe	28
PID 2216 wrote to memory of 2132	2216	NA_NA_2f953be04a4b3dexeexe_JC.exe	28
PID 2132 wrote to memory of 2396	2132	sidebar2.exe	29
PID 2132 wrote to memory of 2396	2132	sidebar2.exe	29
PID 2132 wrote to memory of 2396	2132	sidebar2.exe	29
PID 2132 wrote to memory of 2396	2132	sidebar2.exe	29

C:\Users\Admin\AppData\Local\Temp\NA_NA_2f953be04a4b3dexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_NA_2f953be04a4b3dexeexe_JC.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe"
    3⤵
    - Executes dropped EXE
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\XMMC\sidebar2.exe

Filesize
280KB

MD5
21bdec837ff1932037ec8acc0ab33a49

SHA1
5fa3a0fe4b54e1dd2798ce063a09c5bad1163080

SHA256
0a8ffb9f2f120d8616d650dc9836a205354e78639e4f5a27314fd118b0ac12f8

SHA512
62eb27df73eb680218c50aa7a79d93556821a4b220af4591b3f4ea845883dfdafaac0d7249d0b74f1ba4bdbd77607c61779cbb27ebcd517279beea9741f4dda4

Download Submit

Analysis

Sharing