f2e5cf7a52a60915a4f27f4711c4a03d376fe3720e2d1354b547a27d283cd80e

General

Target

SOA.exe
Size

769KB
MD5

7cf44d01617ca7109e6055fef339f301
SHA1

034696cc52781145916bb54989aa73db5ab6e2f3
SHA256

ecb89e3dc8230acc1f4979b6e9461684c0bbad2aed4871858610a3b6c660683b
SHA512

e62de06660b0d136630f0a9642e037a012f901abb210b079f526dbdcd7bc94b61b975dc03e36112dd0c236029a103b0c95398aeba61ea60b9767c4dc368a6bc1
SSDEEP

12288:DEN2d1mbTc9t0fzeWCc2/UYsh4HVlrczP8Exfk1+dyRJj7KvUsmyutnetdNSO:wFygCCOHVlr0P86f3c5eb4e3Z

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\eqGrE = "C:\\Users\\Admin\\AppData\\Roaming\\eqGrE\\eqGrE.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 268	1908	SOA.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
2956	powershell.exe
2864	powershell.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
1908	SOA.exe
268	RegSvcs.exe
268	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	SOA.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	268	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2956	1908	SOA.exe	30
PID 1908 wrote to memory of 2956	1908	SOA.exe	30
PID 1908 wrote to memory of 2956	1908	SOA.exe	30
PID 1908 wrote to memory of 2956	1908	SOA.exe	30
PID 1908 wrote to memory of 2864	1908	SOA.exe	32
PID 1908 wrote to memory of 2864	1908	SOA.exe	32
PID 1908 wrote to memory of 2864	1908	SOA.exe	32
PID 1908 wrote to memory of 2864	1908	SOA.exe	32
PID 1908 wrote to memory of 2812	1908	SOA.exe	34
PID 1908 wrote to memory of 2812	1908	SOA.exe	34
PID 1908 wrote to memory of 2812	1908	SOA.exe	34
PID 1908 wrote to memory of 2812	1908	SOA.exe	34
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36
PID 1908 wrote to memory of 268	1908	SOA.exe	36

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kUWqYoB.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kUWqYoB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1851.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1851.tmp

Filesize
1KB

MD5
66c1afa21b0711118ee59a55f27ecd35

SHA1
d4b6cae7e0fb6feeae72ef012ba50e4fb30d4fee

SHA256
451932a5c4c9dbd8d0970b6180303fa31844182960df0b50359338539e15f3c1

SHA512
3299453b35c0721e2db96ff8c6d70e15cc9a1f465824a37eecb0299d0d926ebb698dd77556178c8321621f7845c883308019d47bc28a8c4f10755527553cf316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GR7R460DFKEKMM4PR7JP.temp

Filesize
7KB

MD5
198450b966d75b9b402402e7ad95b699

SHA1
3e8c7a8c9db55055efb06165f1c6c90787f8cea9

SHA256
d379ea95a5118123e18058a9057c121ed809f17b51c9377ea355014a24eaf68d

SHA512
1917cf0c922ba261485d981383303bdcf8f3d3712f152a100df11e8eba0455eef38857942064912110840c3eca9ddf2220927f07af6f720ec4785faef3ed1915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
198450b966d75b9b402402e7ad95b699

SHA1
3e8c7a8c9db55055efb06165f1c6c90787f8cea9

SHA256
d379ea95a5118123e18058a9057c121ed809f17b51c9377ea355014a24eaf68d

SHA512
1917cf0c922ba261485d981383303bdcf8f3d3712f152a100df11e8eba0455eef38857942064912110840c3eca9ddf2220927f07af6f720ec4785faef3ed1915

Download Submit
memory/268-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/268-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-103-0x0000000001240000-0x0000000001280000-memory.dmp

Filesize
256KB

Download
memory/268-102-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/268-100-0x0000000001240000-0x0000000001280000-memory.dmp

Filesize
256KB

Download
memory/268-99-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-60-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/1908-54-0x0000000001230000-0x00000000012F6000-memory.dmp

Filesize
792KB

Download
memory/1908-61-0x0000000004F20000-0x0000000004F9C000-memory.dmp

Filesize
496KB

Download
memory/1908-95-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-59-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1908-58-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-57-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/1908-56-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1908-55-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-78-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2864-92-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download
memory/2864-80-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2864-76-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/2864-75-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-91-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-81-0x0000000001D00000-0x0000000001D40000-memory.dmp

Filesize
256KB

Download
memory/2956-79-0x0000000001D00000-0x0000000001D40000-memory.dmp

Filesize
256KB

Download
memory/2956-77-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download
memory/2956-74-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads