73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8

General

Target

73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
Size

1.7MB
MD5

540bb3e5072e0c6aae289afc813ea520
SHA1

ca151643aa4bb15e393d2f4495c5325505bdefbe
SHA256

73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8
SHA512

eaaf290af4f7224398addc766967498dc92ed8d2dc293f7c5143af2568c8eb4e71815610c605bfbf85345ee4badf4da8d6c7dc5f47712ab9faeb96ae45d0e03f
SSDEEP

24576:Sv3vl141jUMSj81TIsW1il7rwcH5qoqwnUnXLN4ETDWQKwj/bFXNvQul:Sv3vl1NPW7kcH5tTUXCaDyIpQ

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs = "C:\\ProgramData\\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe"	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Loads dropped DLL 3 IoCs

pid	Process
2724	cmd.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2456	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
2052	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
2664	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
2708	wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2052	2456	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	28
PID 2456 wrote to memory of 2052	2456	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	28
PID 2456 wrote to memory of 2052	2456	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	28
PID 2456 wrote to memory of 2052	2456	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	28
PID 2052 wrote to memory of 2664	2052	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	29
PID 2052 wrote to memory of 2664	2052	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	29
PID 2052 wrote to memory of 2664	2052	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	29
PID 2052 wrote to memory of 2664	2052	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	29
PID 2664 wrote to memory of 2724	2664	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	30
PID 2664 wrote to memory of 2724	2664	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	30
PID 2664 wrote to memory of 2724	2664	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	30
PID 2664 wrote to memory of 2724	2664	73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe	30
PID 2724 wrote to memory of 2708	2724	cmd.exe	32
PID 2724 wrote to memory of 2708	2724	cmd.exe	32
PID 2724 wrote to memory of 2708	2724	cmd.exe	32
PID 2724 wrote to memory of 2708	2724	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
"C:\Users\Admin\AppData\Local\Temp\73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
  NH433A5C50726F6772616D446174615C757863786D6570736161657872676E6770776B626169736E62706F63616F706A6F787961626D6F775C777173787A6D75767075677678736775686172716C6E7064677670716C6E757072797A686F716C68732E657865
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\73f3d5b479475f42dea4f14c8e9d5c232901d7ea9624365b3fd5cd7d70d04de8.exe
    KJ433A5C50726F6772616D446174615C757863786D6570736161657872676E6770776B626169736E62706F63616F706A6F787961626D6F775C777173787A6D75767075677678736775686172716C6E7064677670716C6E757072797A686F716C68732E657865
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
        
        C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\jli.dll

Filesize
732KB

MD5
9822bb04c130fc6a90c8b067ca671f3a

SHA1
2dda84fb243d7265993b7c16ac7054ac7ee2cbc9

SHA256
331dee431d8e7d8b7cd4fe8e16853452d98c614a9a111f76142c910092ce3525

SHA512
dc4520826a9b5ec80d0040eb797f25f5a13c7f32039210c7155afc42793559a769785160871800dc9f25670040c4b58c68cfe853e2ea1c8a92c14d8c7994f72e

Download Submit
C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
C:\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.txt

Filesize
362B

MD5
0be31175a49a2d40f61203a487cd7f2f

SHA1
fec8a00a3e641a73a511f35099d1ec957e01ae25

SHA256
a409f120c89df0e91e3411a7b9f9f6ee7dd571c7f7ffc09407f6906b9d55f4d6

SHA512
903ae7ba43cd99983d9c4ed11c59783790ae5ffbfdf63a2d8cd00e214716f61cdafeddfe20c4b7a6eb7481a9f11e17aa8677f484057173b548caaa31d7972919

Download Submit
\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\jli.dll

Filesize
732KB

MD5
9822bb04c130fc6a90c8b067ca671f3a

SHA1
2dda84fb243d7265993b7c16ac7054ac7ee2cbc9

SHA256
331dee431d8e7d8b7cd4fe8e16853452d98c614a9a111f76142c910092ce3525

SHA512
dc4520826a9b5ec80d0040eb797f25f5a13c7f32039210c7155afc42793559a769785160871800dc9f25670040c4b58c68cfe853e2ea1c8a92c14d8c7994f72e

Download Submit
\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\ProgramData\uxcxmepsaaexrgngpwkbaisnbpocaopjoxyabmow\wqsxzmuvpugvxsguharqlnpdgvpqlnupryzhoqlhs.exe

Filesize
16KB

MD5
973b4b2658796840ad6ff9ac1cb21383

SHA1
2ae4808a1d7e450707a9f928ea13cd73e5040431

SHA256
f671045566c60930dc459aa30e2bb38f25525e670bf72f7b69c1f918ae3d9565

SHA512
42e313fae2f84c6ecc7b5c2c4178bcbcf3043fd239d9b05f5614b64e2d8841a7fe54a0786c1b5752bb1b54079b9873d6ade63e7b00cb4118a007d3d0360d6b4c

Download Submit
memory/2052-9-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2052-8-0x0000000002220000-0x00000000023ED000-memory.dmp

Filesize
1.8MB

Download
memory/2052-3-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2456-2-0x00000000026D0000-0x000000000289D000-memory.dmp

Filesize
1.8MB

Download
memory/2456-1-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2456-47-0x00000000026D0000-0x000000000289D000-memory.dmp

Filesize
1.8MB

Download
memory/2456-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2664-10-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2664-15-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2708-22-0x0000000002070000-0x0000000002159000-memory.dmp

Filesize
932KB

Download
memory/2708-37-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2708-23-0x0000000002070000-0x0000000002159000-memory.dmp

Filesize
932KB

Download
memory/2708-24-0x00000000030D0000-0x00000000032E1000-memory.dmp

Filesize
2.1MB

Download
memory/2708-28-0x0000000001E30000-0x0000000001E86000-memory.dmp

Filesize
344KB

Download
memory/2708-30-0x0000000003610000-0x00000000036FB000-memory.dmp

Filesize
940KB

Download
memory/2708-29-0x0000000003610000-0x00000000036FB000-memory.dmp

Filesize
940KB

Download
memory/2708-34-0x0000000003C10000-0x0000000003D85000-memory.dmp

Filesize
1.5MB

Download
memory/2708-33-0x0000000003C10000-0x0000000003D85000-memory.dmp

Filesize
1.5MB

Download
memory/2708-32-0x0000000002D40000-0x0000000002DD9000-memory.dmp

Filesize
612KB

Download
memory/2708-36-0x00000000023C0000-0x0000000002412000-memory.dmp

Filesize
328KB

Download
memory/2708-20-0x0000000002070000-0x0000000002159000-memory.dmp

Filesize
932KB

Download
memory/2708-38-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2708-39-0x00000000030D0000-0x00000000032E1000-memory.dmp

Filesize
2.1MB

Download
memory/2708-40-0x00000000023C0000-0x0000000002412000-memory.dmp

Filesize
328KB

Download
memory/2708-41-0x00000000030D0000-0x00000000032E1000-memory.dmp

Filesize
2.1MB

Download
memory/2708-42-0x0000000001E30000-0x0000000001E86000-memory.dmp

Filesize
344KB

Download
memory/2708-43-0x0000000003610000-0x00000000036FB000-memory.dmp

Filesize
940KB

Download
memory/2708-44-0x0000000002D40000-0x0000000002DD9000-memory.dmp

Filesize
612KB

Download
memory/2708-45-0x0000000003C10000-0x0000000003D85000-memory.dmp

Filesize
1.5MB

Download
memory/2708-46-0x00000000023C0000-0x0000000002412000-memory.dmp

Filesize
328KB

Download
memory/2708-19-0x0000000002070000-0x0000000002159000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads