067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1

General

Target

1f8187292660e4ab4a567f917ed5fee8.exe
Size

5.5MB
MD5

1f8187292660e4ab4a567f917ed5fee8
SHA1

832442b51532bff1a93b62e8a64509d81ea58294
SHA256

067454e4c56e421442cd036923c2a8b7f60f4f4ce59f4243160d36f959d1bff1
SHA512

be84f01f27898e933be08e5cbe75a2cdf976f5dc99876bf67171fb9c94b25863e41a823aef89ca52c3d87694ca4eb065425b1312a64baea78ca70de673a76330
SSDEEP

98304:gvSYro+waPiQjmjP028bc0TtJEJNx5DJXMWbD0nLWI9HJn6wz6+Ln7kr+qrRW6Ja:WpUwjmjc28Imk3jsymJn62t3UE6llYn

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4340}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89820200-ECBD-11CF-8B85-00AA005B4383}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	1f8187292660e4ab4a567f917ed5fee8.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{6BF52A52-394A-11D3-B153-00C04F79FAA6}	1f8187292660e4ab4a567f917ed5fee8.tmp

Executes dropped EXE 1 IoCs

pid	Process
4980	1f8187292660e4ab4a567f917ed5fee8.tmp

Loads dropped DLL 2 IoCs

pid	Process
4980	1f8187292660e4ab4a567f917ed5fee8.tmp
4980	1f8187292660e4ab4a567f917ed5fee8.tmp

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4980	3076	1f8187292660e4ab4a567f917ed5fee8.exe	90
PID 3076 wrote to memory of 4980	3076	1f8187292660e4ab4a567f917ed5fee8.exe	90
PID 3076 wrote to memory of 4980	3076	1f8187292660e4ab4a567f917ed5fee8.exe	90
PID 4980 wrote to memory of 5076	4980	1f8187292660e4ab4a567f917ed5fee8.tmp	95
PID 4980 wrote to memory of 5076	4980	1f8187292660e4ab4a567f917ed5fee8.tmp	95
PID 4980 wrote to memory of 5076	4980	1f8187292660e4ab4a567f917ed5fee8.tmp	95
PID 5076 wrote to memory of 4664	5076	cmd.exe	97
PID 5076 wrote to memory of 4664	5076	cmd.exe	97
PID 5076 wrote to memory of 4664	5076	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe
"C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp" /SL5="$11006A,5495633,56832,C:\Users\Admin\AppData\Local\Temp\1f8187292660e4ab4a567f917ed5fee8.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-DFR5P.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DFR5P.tmp\ex.bat

Filesize
786B

MD5
63535b5c3c87f0aee85a2aa05a288f8f

SHA1
a614a06b8d4a1b7ca823ba0296b6a0cd23196bd1

SHA256
01bdde5ada766b11a07fd82bb8e8f3d5cb8c3d51db4546dee045cef6a6469630

SHA512
2d764d8f2c45f27329ee268b80cd275835ef4e5e0c264c23186fad8323164db7ac319c3a9c62693f5b6ee61a1982cee6730d4c68ff08974b45974685e6075553

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DFR5P.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp

Filesize
693KB

MD5
160db79a135d5f5eb6e5f504ed4c38c9

SHA1
8ded92aa5a701cbea1b3d0ba64bce647bf89f008

SHA256
f6520eeff2df974d976fc2c7237536b69d238b5e462927565d539faf3a6fd82c

SHA512
6f1c9238de82db7596a9ac9052613c08c3a30af8b7e1a869333da7ca221ea5393a86088de4394ae408a9e2d4a792ad688f21df97066067195a2427d581642ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMQMH.tmp\1f8187292660e4ab4a567f917ed5fee8.tmp

Filesize
305KB

MD5
4fa60e8a7a4dd42b07939ab72b39fe37

SHA1
f237094146fffddb8a1f6bf015f8bbf44f5af018

SHA256
f8a9bbbf61782f700ecf398510a07fc6c9df6fdde9c73602abc041c878990770

SHA512
1e091e6b336d24799b15228766ec744d0c9b742b058886156e8f8aff2d79248ce36827ff4d57ed50e3475f8c61f98886f8473f36240f81988374a3f04cbe11d1

Download Submit
memory/3076-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3076-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3076-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4664-26-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/4664-47-0x0000000072F90000-0x0000000073740000-memory.dmp

Filesize
7.7MB

Download
memory/4664-23-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/4664-24-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/4664-27-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4664-22-0x0000000072F90000-0x0000000073740000-memory.dmp

Filesize
7.7MB

Download
memory/4664-21-0x00000000022C0000-0x00000000022F6000-memory.dmp

Filesize
216KB

Download
memory/4664-37-0x0000000005640000-0x0000000005994000-memory.dmp

Filesize
3.3MB

Download
memory/4664-25-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/4664-38-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/4664-39-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/4664-42-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/4664-43-0x0000000007460000-0x0000000007A04000-memory.dmp

Filesize
5.6MB

Download
memory/4664-41-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/4664-40-0x0000000006BC0000-0x0000000006C56000-memory.dmp

Filesize
600KB

Download
memory/4664-44-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-16-0x0000000003A90000-0x0000000003ACC000-memory.dmp

Filesize
240KB

Download
memory/4980-52-0x0000000003A90000-0x0000000003ACC000-memory.dmp

Filesize
240KB

Download
memory/4980-51-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4980-7-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4980-53-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads