8629d37cddd52e548dd4cbfc906a7e9c32ccfe85dfdda10e9221291713ce9a3a

General

Target

2dd47fec1e853f0e24f73b39e0421576.exe
Size

132KB
MD5

2dd47fec1e853f0e24f73b39e0421576
SHA1

bf01db1275a90a4429ea10b01b4044e5c650d84a
SHA256

8629d37cddd52e548dd4cbfc906a7e9c32ccfe85dfdda10e9221291713ce9a3a
SHA512

2c2f8349be5d27ea07d0a0c0e0cab05d2f57d90ae84ffc6a73eb7b910b6eb729ae23d1ea0286892bff547a700ad1a131c405cdc281d4d15eaa84d4945ff3e590
SSDEEP

3072:FWl6Xy/qieYId24Wug9d0j+lIemH3/J/iJmE:FWEy/qieYIYQgjY2IemHPJ/iJmE

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\BITS\Parameters\ServiceDll = "C:\\Windows\\system32\\qmgr.dll"	2dd47fec1e853f0e24f73b39e0421576.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
3544	2dd47fec1e853f0e24f73b39e0421576.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\SysWOW64\qmgr.dll	2dd47fec1e853f0e24f73b39e0421576.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3724	sc.exe
724	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1168	3544	WerFault.exe	16

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3544	2dd47fec1e853f0e24f73b39e0421576.exe
3544	2dd47fec1e853f0e24f73b39e0421576.exe
3544	2dd47fec1e853f0e24f73b39e0421576.exe
3544	2dd47fec1e853f0e24f73b39e0421576.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4328	3544	2dd47fec1e853f0e24f73b39e0421576.exe	47
PID 3544 wrote to memory of 4328	3544	2dd47fec1e853f0e24f73b39e0421576.exe	47
PID 3544 wrote to memory of 4328	3544	2dd47fec1e853f0e24f73b39e0421576.exe	47
PID 4328 wrote to memory of 2520	4328	cmd.exe	46
PID 4328 wrote to memory of 2520	4328	cmd.exe	46
PID 4328 wrote to memory of 2520	4328	cmd.exe	46
PID 2520 wrote to memory of 3652	2520	net.exe	45
PID 2520 wrote to memory of 3652	2520	net.exe	45
PID 2520 wrote to memory of 3652	2520	net.exe	45
PID 4328 wrote to memory of 1548	4328	cmd.exe	44
PID 4328 wrote to memory of 1548	4328	cmd.exe	44
PID 4328 wrote to memory of 1548	4328	cmd.exe	44
PID 1548 wrote to memory of 2788	1548	net.exe	43
PID 1548 wrote to memory of 2788	1548	net.exe	43
PID 1548 wrote to memory of 2788	1548	net.exe	43
PID 4328 wrote to memory of 3724	4328	cmd.exe	98
PID 4328 wrote to memory of 3724	4328	cmd.exe	98
PID 4328 wrote to memory of 3724	4328	cmd.exe	98
PID 4328 wrote to memory of 724	4328	cmd.exe	99
PID 4328 wrote to memory of 724	4328	cmd.exe	99
PID 4328 wrote to memory of 724	4328	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\2dd47fec1e853f0e24f73b39e0421576.exe
"C:\Users\Admin\AppData\Local\Temp\2dd47fec1e853f0e24f73b39e0421576.exe"
1⤵
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544
- \??\c:\windows\SysWOW64\cmd.exe
  c:\windows\system32\cmd.exe /c net stop bits&net stop cryptsvc&sc config cryptsvc start= disabled&sc delete cryptsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\sc.exe
    sc config cryptsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3724
- - C:\Windows\SysWOW64\sc.exe
    sc delete cryptsvc
    3⤵
    - Launches sc.exe
    PID:724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 436
  2⤵
  - Program crash
  PID:1168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cryptsvc
1⤵
PID:2788

C:\Windows\SysWOW64\net.exe
net stop cryptsvc
1⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop bits
1⤵
PID:3652

C:\Windows\SysWOW64\net.exe
net stop bits
1⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3544 -ip 3544
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qmgr.dll

Filesize
114KB

MD5
d5bbb493889a65a0697452e3dc7868fb

SHA1
88b3b34a61071aecdb78ee305b9b92a9dc4ceb45

SHA256
c8e065a7d90ed189a25ae2461fb8754357eae570d6b9a343053b71e815dd5259

SHA512
c3f038e69acb0c6717b68d3d688acff7dbe940ee8fa12aec43dc76d3d053128710cb7d39617c6ddaaf65f79cebf638df1df6a1487e43950606af64a7fe961854

Download Submit
C:\Windows\SysWOW64\qmgr.dll

Filesize
92KB

MD5
cb95d6a059f3c2b74f7c1bec9068918c

SHA1
2a6507c5482f853a78aabe0a8856e50024e05c14

SHA256
fb45d836aa5d31c8d2c7a0acb78c1705d5b9f6fa6c96ad079319607c6ca31541

SHA512
228f29232f1e270d592532ab6f99f1130f9ef52928250db52ea48b7de3b2d92dccb72bf0d0d9f9f0bf93224467ff8fa1ab60e6478911bc0f7cd1465973348c0d

Download Submit
memory/3204-9-0x000001B4303B0000-0x000001B4303C0000-memory.dmp

Filesize
64KB

Download
memory/3204-1-0x000001B430240000-0x000001B430250000-memory.dmp

Filesize
64KB

Download
memory/3544-0-0x0000000000400000-0x0000000000420530-memory.dmp

Filesize
129KB

Download
memory/3544-24-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/3544-26-0x0000000010000000-0x0000000010022000-memory.dmp

Filesize
136KB

Download
memory/3544-25-0x0000000000400000-0x0000000000420530-memory.dmp

Filesize
129KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads