02cb9884a407d379900639c4ab4354d91236ffcfcbc880674c04e722ea9c8156

General

Target

00124cbff180e0640081873205a66a24.exe
Size

11KB
MD5

00124cbff180e0640081873205a66a24
SHA1

3d8eb8e4c0a2ced0455896a26f4c900d8d240e5b
SHA256

02cb9884a407d379900639c4ab4354d91236ffcfcbc880674c04e722ea9c8156
SHA512

2f4d34bcbdf85973ae6d55a7e98cefb60be7f027d46b9710407273a0a411003826367e488d3b582afc0973fb86ab96d1fa9a925a14fc265d4d5276d704480a19
SSDEEP

192:GqkEe+6fMrf+X8OKfBzmDNevAihpAwIBsE2L4f3KoTdy68+QWqT:GzEQMrlQDNNi2+fL6Ko46KT

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2112	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\system32\\kernelwind32.exe"	00124cbff180e0640081873205a66a24.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vx.tll	00124cbff180e0640081873205a66a24.exe
File opened for modification	C:\Windows\SysWOW64\kernelwind32.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\dllh8jkd1q2.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\dllh8jkd1q6.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\dllh8jkd1q7.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\kernelwind32.exe	00124cbff180e0640081873205a66a24.exe
File opened for modification	C:\Windows\SysWOW64\dllh8jkd1q8.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\dllh8jkd1q1.exe	00124cbff180e0640081873205a66a24.exe
File created	C:\Windows\SysWOW64\dllh8jkd1q5.exe	00124cbff180e0640081873205a66a24.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4392	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2112	5116	00124cbff180e0640081873205a66a24.exe	17
PID 5116 wrote to memory of 2112	5116	00124cbff180e0640081873205a66a24.exe	17
PID 5116 wrote to memory of 2112	5116	00124cbff180e0640081873205a66a24.exe	17

C:\Windows\SysWOW64\netsh.exe
netsh firewall set allowedprogram 'C:\Users\Admin\AppData\Local\Temp\00124cbff180e0640081873205a66a24.exe' enable
1⤵
- Modifies Windows Firewall
PID:2112

C:\Users\Admin\AppData\Local\Temp\00124cbff180e0640081873205a66a24.exe
"C:\Users\Admin\AppData\Local\Temp\00124cbff180e0640081873205a66a24.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
10c4bb42104da999d868b8d23af217ea

SHA1
ce824d69ddfbe4b6cd67523762e66bd349d58563

SHA256
a1f5688cc8172568b735b76f43da12fb4648b532d15aef476d4c904f17540a74

SHA512
a9809609a99a7feeb19766f5d7713105273aafd0b265b512947ab9390c82868948d4d8858e4053a015549f47d9179dfbd23e03d27e0ec1ff1d17597e6f16890a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.dllb

Filesize
47KB

MD5
693273f876d2ac5db86316988d7fa4c5

SHA1
803f62dd9420893e23779175b48f0f2fedc866e7

SHA256
cb637754679bcb40f6044fc2b355b6e66d2d420b6e668f5bdf20a4e66b16ab1a

SHA512
7edd7d2186d8777623602c889f376343c5b5d5b887654db7f615e353e28aa0a5dbff3d3bf5e845afd4cc6138ea9ba57a9e9657832d5166dad2417c4544afb77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.dllb

Filesize
47KB

MD5
f80f172247fb8b0d1363c70dcc25319c

SHA1
0812092fd435554d7c78579bf3f71524076998c2

SHA256
f2edc3e053f1218b6e20cfd113436c0aa1366d5e9091f17f9beb58c7b85de91f

SHA512
5387d44c640c5ac3e4cf9c2670f6e8e404ce22e178a88436358c1b8551133e78b5456c719da21aad3e242b7da3e904ba1e683e48566d7238aab4a761fc366521

Download Submit
memory/4392-89-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-91-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-119-0x000002903F6E0000-0x000002903F6E1000-memory.dmp

Filesize
4KB

Download
memory/4392-51-0x0000029037150000-0x0000029037160000-memory.dmp

Filesize
64KB

Download
memory/4392-67-0x0000029037250000-0x0000029037260000-memory.dmp

Filesize
64KB

Download
memory/4392-83-0x000002903F840000-0x000002903F841000-memory.dmp

Filesize
4KB

Download
memory/4392-84-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-85-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-86-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-87-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-88-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-118-0x000002903F5D0000-0x000002903F5D1000-memory.dmp

Filesize
4KB

Download
memory/4392-90-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-117-0x000002903F5D0000-0x000002903F5D1000-memory.dmp

Filesize
4KB

Download
memory/4392-92-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-93-0x000002903F870000-0x000002903F871000-memory.dmp

Filesize
4KB

Download
memory/4392-94-0x000002903F490000-0x000002903F491000-memory.dmp

Filesize
4KB

Download
memory/4392-95-0x000002903F480000-0x000002903F481000-memory.dmp

Filesize
4KB

Download
memory/4392-97-0x000002903F490000-0x000002903F491000-memory.dmp

Filesize
4KB

Download
memory/4392-100-0x000002903F480000-0x000002903F481000-memory.dmp

Filesize
4KB

Download
memory/4392-103-0x000002903F3C0000-0x000002903F3C1000-memory.dmp

Filesize
4KB

Download
memory/4392-115-0x000002903F5C0000-0x000002903F5C1000-memory.dmp

Filesize
4KB

Download
memory/5116-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5116-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5116-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5116-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads