e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7

General

Target

e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
Size

1.5MB
MD5

4429a2f472f0b0d4b761ca18da3a3236
SHA1

093040669f59a4e784545db7425c2a66125f5887
SHA256

e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7
SHA512

dacc5b65afe4145414918ee92e76ac6ed8f2e65654a4b65f398052e868e8a7aa097894d1151746b9087c583625519f9145a31a16db34dd0b80586376bc5f4121
SSDEEP

49152:35qAFJFaDlz2h+TEtIHtQZsPvfvCoz14V82RvCG:pT7FaDlzuctIsPvJ4a2Rv

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xkmeifbrq = "C:\\ProgramData\\twkcedipvasjtzecbtewhn\\xkmeifbrq.exe"	xkmeifbrq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xkmeifbrq.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	xkmeifbrq.exe

Loads dropped DLL 3 IoCs

pid	Process
2604	cmd.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	xkmeifbrq.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
3040	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
2520	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe
2672	xkmeifbrq.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2104	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	28
PID 1672 wrote to memory of 2104	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	28
PID 1672 wrote to memory of 2104	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	28
PID 1672 wrote to memory of 2104	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	28
PID 1672 wrote to memory of 3040	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	30
PID 1672 wrote to memory of 3040	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	30
PID 1672 wrote to memory of 3040	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	30
PID 1672 wrote to memory of 3040	1672	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	30
PID 3040 wrote to memory of 2520	3040	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	31
PID 3040 wrote to memory of 2520	3040	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	31
PID 3040 wrote to memory of 2520	3040	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	31
PID 3040 wrote to memory of 2520	3040	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	31
PID 2520 wrote to memory of 2604	2520	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	32
PID 2520 wrote to memory of 2604	2520	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	32
PID 2520 wrote to memory of 2604	2520	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	32
PID 2520 wrote to memory of 2604	2520	e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe	32
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34
PID 2604 wrote to memory of 2672	2604	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
"C:\Users\Admin\AppData\Local\Temp\e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\ProgramData\twkcedipvasjtzecbtewhn
  2⤵
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
  GG433A5C50726F6772616D446174615C74776B63656469707661736A747A656362746577686E5C786B6D6569666272712E657865
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\e9e53ecc97b7ebe3f200c1bf2de96290d80f2b1900841c61e32c731c0b9d95c7.exe
    JJ433A5C50726F6772616D446174615C74776B63656469707661736A747A656362746577686E5C786B6D6569666272712E657865
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe
        
        C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\twkcedipvasjtzecbtewhn\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\ProgramData\twkcedipvasjtzecbtewhn\jli.dll

Filesize
552KB

MD5
e04ef359ef8be6a8deeab8db30337fda

SHA1
7f27a8bfa000e520903dad18459bed45dac5ef69

SHA256
42edd59f521fadb2ef4844da74e5aaea899ea174f2f083628b1751733e0f2cf4

SHA512
26356b8866f946dd8d8ba1d11936ea914e22d97288ad78c5f4615114f11a64d98bee60d8058108936b838ca6e89353842608d0afd255ecb08353dfaef7e2438f

Download Submit
C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.txt

Filesize
252B

MD5
a6afaf7e7453d584901a54f32f56526f

SHA1
edb832a65d2c4dc5f36eb5c81263bad28c6d1057

SHA256
1a869302de44c7618c0bae3a7ae2e3282298fc949d2c61015112135a419e122d

SHA512
83d9fc94f49b6300a667a91d74b699c8a6e3f0f76de6d1f3377702daeeb35aaab9126c8dc2df5fb81862f69b94d8af330e5448bc4593f0cf2412c8008e4b11dd

Download Submit
\ProgramData\twkcedipvasjtzecbtewhn\jli.dll

Filesize
552KB

MD5
e04ef359ef8be6a8deeab8db30337fda

SHA1
7f27a8bfa000e520903dad18459bed45dac5ef69

SHA256
42edd59f521fadb2ef4844da74e5aaea899ea174f2f083628b1751733e0f2cf4

SHA512
26356b8866f946dd8d8ba1d11936ea914e22d97288ad78c5f4615114f11a64d98bee60d8058108936b838ca6e89353842608d0afd255ecb08353dfaef7e2438f

Download Submit
\ProgramData\twkcedipvasjtzecbtewhn\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\ProgramData\twkcedipvasjtzecbtewhn\xkmeifbrq.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
memory/2672-22-0x00000000036D0000-0x00000000037BB000-memory.dmp

Filesize
940KB

Download
memory/2672-28-0x0000000003C70000-0x0000000003DE5000-memory.dmp

Filesize
1.5MB

Download
memory/2672-13-0x0000000000C80000-0x0000000000D67000-memory.dmp

Filesize
924KB

Download
memory/2672-15-0x0000000000C80000-0x0000000000D67000-memory.dmp

Filesize
924KB

Download
memory/2672-16-0x00000000031D0000-0x00000000033E1000-memory.dmp

Filesize
2.1MB

Download
memory/2672-20-0x0000000002C00000-0x0000000002C56000-memory.dmp

Filesize
344KB

Download
memory/2672-11-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x00000000036D0000-0x00000000037BB000-memory.dmp

Filesize
940KB

Download
memory/2672-26-0x0000000003C70000-0x0000000003DE5000-memory.dmp

Filesize
1.5MB

Download
memory/2672-25-0x0000000000C80000-0x0000000000D67000-memory.dmp

Filesize
924KB

Download
memory/2672-24-0x00000000034F0000-0x0000000003589000-memory.dmp

Filesize
612KB

Download
memory/2672-12-0x0000000000C80000-0x0000000000D67000-memory.dmp

Filesize
924KB

Download
memory/2672-30-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2672-29-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2672-31-0x0000000002DF0000-0x0000000002E42000-memory.dmp

Filesize
328KB

Download
memory/2672-32-0x00000000031D0000-0x00000000033E1000-memory.dmp

Filesize
2.1MB

Download
memory/2672-33-0x0000000002DF0000-0x0000000002E42000-memory.dmp

Filesize
328KB

Download
memory/2672-34-0x00000000031D0000-0x00000000033E1000-memory.dmp

Filesize
2.1MB

Download
memory/2672-35-0x0000000002C00000-0x0000000002C56000-memory.dmp

Filesize
344KB

Download
memory/2672-36-0x00000000036D0000-0x00000000037BB000-memory.dmp

Filesize
940KB

Download
memory/2672-37-0x00000000034F0000-0x0000000003589000-memory.dmp

Filesize
612KB

Download
memory/2672-38-0x0000000003C70000-0x0000000003DE5000-memory.dmp

Filesize
1.5MB

Download
memory/2672-39-0x0000000002DF0000-0x0000000002E42000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads