b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3

General

Target

b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe
Size

2.2MB
MD5

b3467c8b5213819e2ad34af30e71181a
SHA1

ebf6364595dfce80dd3ba7446c57cfa51c6937ff
SHA256

b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3
SHA512

e1cf0e2cfd37060b1d0ac62dd06d53450c9c0b2bd2554701a9711e8127caf79d12c5104ecb28dab98f25828c2f71d6f371530aef23cf4b270d0014282c4bbaec
SSDEEP

49152:HAlOjWOD9W0HqCKCHaGDV4XYjzEDrih+YVdypy:gECOD9W3waq4XYHESC

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	v23e8z16xs4m2463dn1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\v23e8z16xs4m2463dn1 = "C:\\ProgramData\\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\\v23e8z16xs4m2463dn1.exe"	v23e8z16xs4m2463dn1.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	v23e8z16xs4m2463dn1.exe

Loads dropped DLL 1 IoCs

pid	Process
3084	v23e8z16xs4m2463dn1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	v23e8z16xs4m2463dn1.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2488	b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe
2488	b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe
3084	v23e8z16xs4m2463dn1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3084	2488	b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe	81
PID 2488 wrote to memory of 3084	2488	b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe	81
PID 2488 wrote to memory of 3084	2488	b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe	81

C:\Users\Admin\AppData\Local\Temp\b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe
"C:\Users\Admin\AppData\Local\Temp\b0fedb766873e39cea4b925ac482fa4d9a8fed8a2810685d3208053b1b9228a3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.exe
  "C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\Rainmeter.dll

Filesize
1.0MB

MD5
ff9b42cc7b4edf7c011ef2b95e6e288d

SHA1
cf71cb056ecdf0e2e30a9fa4aecc5767dc9de045

SHA256
d9ea65e35de4020a37a73373b68b6bd2191e1169ce38a308d50d932930a9991a

SHA512
ba24d3dd068eae91203c43afdf7042076bb39d3c2c08ec15e4be315ac3e00207593ce56ed25f36def7d6c871039e6310d3c4824a6babbe96cfc19ee0fc80c04f

Download Submit
C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\rainmeter.dll

Filesize
1.0MB

MD5
ff9b42cc7b4edf7c011ef2b95e6e288d

SHA1
cf71cb056ecdf0e2e30a9fa4aecc5767dc9de045

SHA256
d9ea65e35de4020a37a73373b68b6bd2191e1169ce38a308d50d932930a9991a

SHA512
ba24d3dd068eae91203c43afdf7042076bb39d3c2c08ec15e4be315ac3e00207593ce56ed25f36def7d6c871039e6310d3c4824a6babbe96cfc19ee0fc80c04f

Download Submit
C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.exe

Filesize
464KB

MD5
8fb40825d6a7ab6615807dbda6c62a62

SHA1
77c2a29b457dcb392f1ae1aa4d82cee152629f35

SHA256
245bf5a58ec5d3dcc34c3d8ecb1dfa996aaff66c26a74eae76c80aacc93e54d1

SHA512
1f0b7d2ceb14cecde1dab2310ad42d882804b20930a4e686619d3f6ea86466bbe79b9eabff0e0f513c85dadd16eed22f39cd8f1cedc3763a6900ed59e126ac6b

Download Submit
C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.exe

Filesize
464KB

MD5
8fb40825d6a7ab6615807dbda6c62a62

SHA1
77c2a29b457dcb392f1ae1aa4d82cee152629f35

SHA256
245bf5a58ec5d3dcc34c3d8ecb1dfa996aaff66c26a74eae76c80aacc93e54d1

SHA512
1f0b7d2ceb14cecde1dab2310ad42d882804b20930a4e686619d3f6ea86466bbe79b9eabff0e0f513c85dadd16eed22f39cd8f1cedc3763a6900ed59e126ac6b

Download Submit
C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.txt

Filesize
964B

MD5
1ed853dd4d72ca84c5d6f725dd6aa2fe

SHA1
9f08f7cb81398796a93b63334de270359e1a72b1

SHA256
8ec75a696fc3c831856953783cbb235a5d65157128b0a0fb08e06f50e2f11a5f

SHA512
2cde9d9471b4886fc891b5de8a230a6d046a057117f41a389c4048d2b1c5982b09a7f3df33256c4ec468482eb7a1f137c7e7c88dfe7bb99c331737bc6f19cc5b

Download Submit
C:\ProgramData\q6evrw291zv8p0ti126wg4o9bkg0g4ijpq3a7h0b301\v23e8z16xs4m2463dn1.txt

Filesize
964B

MD5
1ed853dd4d72ca84c5d6f725dd6aa2fe

SHA1
9f08f7cb81398796a93b63334de270359e1a72b1

SHA256
8ec75a696fc3c831856953783cbb235a5d65157128b0a0fb08e06f50e2f11a5f

SHA512
2cde9d9471b4886fc891b5de8a230a6d046a057117f41a389c4048d2b1c5982b09a7f3df33256c4ec468482eb7a1f137c7e7c88dfe7bb99c331737bc6f19cc5b

Download Submit
memory/3084-20-0x00000000041D0000-0x00000000042C4000-memory.dmp

Filesize
976KB

Download
memory/3084-25-0x0000000004630000-0x00000000047AB000-memory.dmp

Filesize
1.5MB

Download
memory/3084-12-0x0000000003710000-0x000000000393B000-memory.dmp

Filesize
2.2MB

Download
memory/3084-14-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3084-15-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/3084-10-0x0000000002750000-0x0000000002839000-memory.dmp

Filesize
932KB

Download
memory/3084-19-0x0000000003C40000-0x0000000003CA4000-memory.dmp

Filesize
400KB

Download
memory/3084-21-0x00000000041D0000-0x00000000042C4000-memory.dmp

Filesize
976KB

Download
memory/3084-8-0x0000000002750000-0x0000000002839000-memory.dmp

Filesize
932KB

Download
memory/3084-23-0x00000000043D0000-0x000000000448F000-memory.dmp

Filesize
764KB

Download
memory/3084-24-0x0000000004630000-0x00000000047AB000-memory.dmp

Filesize
1.5MB

Download
memory/3084-11-0x0000000002750000-0x0000000002839000-memory.dmp

Filesize
932KB

Download
memory/3084-27-0x0000000003F50000-0x0000000003FA2000-memory.dmp

Filesize
328KB

Download
memory/3084-28-0x0000000003710000-0x000000000393B000-memory.dmp

Filesize
2.2MB

Download
memory/3084-30-0x0000000003710000-0x000000000393B000-memory.dmp

Filesize
2.2MB

Download
memory/3084-31-0x0000000003710000-0x000000000393B000-memory.dmp

Filesize
2.2MB

Download
memory/3084-7-0x0000000002750000-0x0000000002839000-memory.dmp

Filesize
932KB

Download
memory/3084-37-0x0000000003C40000-0x0000000003CA4000-memory.dmp

Filesize
400KB

Download
memory/3084-38-0x00000000041D0000-0x00000000042C4000-memory.dmp

Filesize
976KB

Download
memory/3084-40-0x00000000043D0000-0x000000000448F000-memory.dmp

Filesize
764KB

Download
memory/3084-43-0x0000000004630000-0x00000000047AB000-memory.dmp

Filesize
1.5MB

Download
memory/3084-45-0x0000000003F50000-0x0000000003FA2000-memory.dmp

Filesize
328KB

Download
memory/3084-50-0x0000000003F50000-0x0000000003FA2000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads