060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950

General

Target

060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe
Size

3.0MB
MD5

5a63caa455d49b61af7e26b730b16038
SHA1

0753b71bfad1263da09a2f6c585a04d2c60a1cdd
SHA256

060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950
SHA512

0514158b69eea96b612f70a850ffdc05ad87b4a52fbac4c535741a6f6dce3e1d0e6ab0b94b91924b6ce8c39dc32d3537c33c07d3ac17edfc19b4a8344c18de12
SSDEEP

49152:S5V9HFqlO+P5HyFDeqBReJagf07l+fbzboeThRv7Gosu3D4:mI0+xHQgfDoeThBGosD

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	AQ5NZ8815.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\AQ5NZ8815 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\FHNm42tpPv\\AQ5NZ8815.exe"	AQ5NZ8815.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	AQ5NZ8815.exe

Loads dropped DLL 1 IoCs

pid	Process
1356	AQ5NZ8815.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	AQ5NZ8815.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe
1356	AQ5NZ8815.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 2276	4288	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	87
PID 4288 wrote to memory of 2276	4288	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	87
PID 4288 wrote to memory of 1740	4288	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	88
PID 4288 wrote to memory of 1740	4288	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	88
PID 1740 wrote to memory of 2444	1740	cmd.exe	91
PID 1740 wrote to memory of 2444	1740	cmd.exe	91
PID 2444 wrote to memory of 884	2444	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	92
PID 2444 wrote to memory of 884	2444	060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe	92
PID 884 wrote to memory of 1356	884	cmd.exe	95
PID 884 wrote to memory of 1356	884	cmd.exe	95
PID 884 wrote to memory of 1356	884	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe
"C:\Users\Admin\AppData\Local\Temp\060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c mkdir C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv
  2⤵
  PID:2276
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe" C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -GlOYOtGU
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe
    C:\Users\Admin\AppData\Local\Temp\060a4fdb7816a9e9354f46abe08ecb9f58137994bc0dc1a7fddddc4b7e4b5950.exe C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv -GlOYOtGU
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\\AQ5NZ8815.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\AQ5NZ8815.exe
        
        C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\\AQ5NZ8815.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\AQ5NZ8815.exe

Filesize
1.4MB

MD5
a135678f9650689720b0d6024ffc55e5

SHA1
f5c08c7bcdff02dafb3d724d6e7ce2e70eba2ca0

SHA256
46c2650cbb699d71b108819b209da19fcb137b620befd1104a010f2f6b678531

SHA512
f056ae6e944e74ac4c032e3a94946de015998fd4182cf24f96764c93768f4cc6d539611c3dab59da258fadaae2a7e2becdcfb35704b7bd88b56796ccf46fe456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\AQ5NZ8815.exe

Filesize
1.4MB

MD5
a135678f9650689720b0d6024ffc55e5

SHA1
f5c08c7bcdff02dafb3d724d6e7ce2e70eba2ca0

SHA256
46c2650cbb699d71b108819b209da19fcb137b620befd1104a010f2f6b678531

SHA512
f056ae6e944e74ac4c032e3a94946de015998fd4182cf24f96764c93768f4cc6d539611c3dab59da258fadaae2a7e2becdcfb35704b7bd88b56796ccf46fe456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\AQ5NZ8815.txt

Filesize
263B

MD5
4ec3112db97257d13e98f2fad9766ce7

SHA1
47cd104db4fcf26ed72ad0e7cda6ccdd05cd9c3d

SHA256
1935ccd854550e4240ee4a0942f39c446e4044466dc0b5fd5bd32cbfe6e91f14

SHA512
1a7ddbbadbffe2d9e9cb55fff332ee867b7816117256272f050b899f7896d4e17f2d8001415a7ab5b59046d96171b3cb88f58575969b85829dc7e355302f8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\MidlrtMd.dll

Filesize
1.3MB

MD5
6928796b2292904c0b929cc4df4c00ae

SHA1
58e3518ed4d5140b7453032bc14fff2269cef484

SHA256
c3b675c66a178b0aec063e48058f0e0987b7f44c85a1246d2d1d4d88b2953f48

SHA512
da0eaf9e24aa3364cf2ec058681082fc7246252639929c86dbff7bb0662e115fce77e8eeb1c27488dbec517c61b59a1949329630fefa74387f6a9859a4180593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FHNm42tpPv\midlrtmd.dll

Filesize
1.3MB

MD5
6928796b2292904c0b929cc4df4c00ae

SHA1
58e3518ed4d5140b7453032bc14fff2269cef484

SHA256
c3b675c66a178b0aec063e48058f0e0987b7f44c85a1246d2d1d4d88b2953f48

SHA512
da0eaf9e24aa3364cf2ec058681082fc7246252639929c86dbff7bb0662e115fce77e8eeb1c27488dbec517c61b59a1949329630fefa74387f6a9859a4180593

Download Submit
memory/1356-20-0x0000000003E30000-0x0000000003EC9000-memory.dmp

Filesize
612KB

Download
memory/1356-26-0x00000000039D0000-0x00000000039D1000-memory.dmp

Filesize
4KB

Download
memory/1356-11-0x0000000003790000-0x00000000039A1000-memory.dmp

Filesize
2.1MB

Download
memory/1356-15-0x0000000003BE0000-0x0000000003C36000-memory.dmp

Filesize
344KB

Download
memory/1356-16-0x0000000003C40000-0x0000000003D2B000-memory.dmp

Filesize
940KB

Download
memory/1356-17-0x0000000003C40000-0x0000000003D2B000-memory.dmp

Filesize
940KB

Download
memory/1356-8-0x0000000002B10000-0x0000000002BF9000-memory.dmp

Filesize
932KB

Download
memory/1356-7-0x0000000002B10000-0x0000000002BF9000-memory.dmp

Filesize
932KB

Download
memory/1356-22-0x0000000004270000-0x00000000043E5000-memory.dmp

Filesize
1.5MB

Download
memory/1356-24-0x0000000003EF0000-0x0000000003F42000-memory.dmp

Filesize
328KB

Download
memory/1356-25-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/1356-10-0x0000000002B10000-0x0000000002BF9000-memory.dmp

Filesize
932KB

Download
memory/1356-27-0x0000000003790000-0x00000000039A1000-memory.dmp

Filesize
2.1MB

Download
memory/1356-28-0x0000000003EF0000-0x0000000003F42000-memory.dmp

Filesize
328KB

Download
memory/1356-29-0x0000000002B10000-0x0000000002BF9000-memory.dmp

Filesize
932KB

Download
memory/1356-30-0x0000000003790000-0x00000000039A1000-memory.dmp

Filesize
2.1MB

Download
memory/1356-31-0x0000000003BE0000-0x0000000003C36000-memory.dmp

Filesize
344KB

Download
memory/1356-32-0x0000000003C40000-0x0000000003D2B000-memory.dmp

Filesize
940KB

Download
memory/1356-33-0x0000000004270000-0x00000000043E5000-memory.dmp

Filesize
1.5MB

Download
memory/1356-34-0x0000000003E30000-0x0000000003EC9000-memory.dmp

Filesize
612KB

Download
memory/1356-35-0x0000000003EF0000-0x0000000003F42000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads