e44253c39391bb28f346dd98d874e4587a34ecec25cc920ddcf60751cd1bfdc4

General

Target

11832aaaea01ab2ab4f4bbef2792335a.exe
Size

4.5MB
MD5

11832aaaea01ab2ab4f4bbef2792335a
SHA1

b086b6796613307e4fc109f224eb9f3550e0d3b4
SHA256

e44253c39391bb28f346dd98d874e4587a34ecec25cc920ddcf60751cd1bfdc4
SHA512

76c967665ccf20bcdeda6ffab8e0f29929605c3b9e80bb24f9c25f38f3c1674932e65afba486499aac2bce8cb871bfa8a6cd56ee9e78887ac8cd113a39d50286
SSDEEP

98304:5MGf2jqPwejTT9k7lw3lgIJm1PBMckd00ZTz+LX2yC0DX:Ff2jqBTG7lw36r1PSna0ZiXD7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	_9C1.tmpac7d.exe

Loads dropped DLL 7 IoCs

pid	Process
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe
2172	11832aaaea01ab2ab4f4bbef2792335a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus_AntiSpyware_2011 = "\"C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus_AntiSpyware_2011\\AntiVirus AntiSpyware.exe\" /STARTUP"	11832aaaea01ab2ab4f4bbef2792335a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	11832aaaea01ab2ab4f4bbef2792335a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2172	11832aaaea01ab2ab4f4bbef2792335a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2176	2172	11832aaaea01ab2ab4f4bbef2792335a.exe	29
PID 2172 wrote to memory of 2176	2172	11832aaaea01ab2ab4f4bbef2792335a.exe	29
PID 2172 wrote to memory of 2176	2172	11832aaaea01ab2ab4f4bbef2792335a.exe	29
PID 2172 wrote to memory of 2176	2172	11832aaaea01ab2ab4f4bbef2792335a.exe	29

C:\Users\Admin\AppData\Local\Temp\11832aaaea01ab2ab4f4bbef2792335a.exe
"C:\Users\Admin\AppData\Local\Temp\11832aaaea01ab2ab4f4bbef2792335a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\_9C1.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_9C1.tmpac7d.exe" -p"09:16 AM" -y -o"C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  PID:1428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\securitymanager.exe"
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus_AntiSpyware_2011\AntiVirus AntiSpyware.exe"
  2⤵
  PID:2220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_9C1.tmpac7d.exe

Filesize
381KB

MD5
c6fa28f482191fdfb789b76c80dad192

SHA1
1cb2f2d29b33d2de63e1bf556a84259ff5c523a0

SHA256
ad479a95bd53730a95c73b0c3f6fb764ef11c33f92fc07c115aabd6aa742185c

SHA512
641ab7dddd60f2e6ef964f1cff5cd7662fa0808d104edc9a243cbf8b00414697b722acf78ac4a1e028b157939ee76158508761783ae64e63d33015803c45dd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_9C1.tmpac7d.exe

Filesize
92KB

MD5
745963f4b5cdff8d0da26481fdf63518

SHA1
3744c5cb2d38c171300e2251bf80e2e9e5588198

SHA256
10ca892cbe8a11b7a64317941b1bc9ab3c63dd9dfc4c24efdb9e3b447f624291

SHA512
e13d5d37a2a17352e06108367e81ddcbd15f7bfd99248ee36d9dfcda0bc67c244871ac9902a951dbfb7c8dac52efaaf8a91491927c083b52e59953f6198d9f46

Download Submit
memory/2108-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-77-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2108-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-70-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2108-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2108-69-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2172-39-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2172-37-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2172-44-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2172-45-0x0000000000C40000-0x000000000109F000-memory.dmp

Filesize
4.4MB

Download
memory/2172-46-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2172-64-0x0000000005130000-0x00000000068DC000-memory.dmp

Filesize
23.7MB

Download
memory/2172-66-0x0000000001120000-0x0000000001155000-memory.dmp

Filesize
212KB

Download
memory/2172-2-0x0000000000C40000-0x000000000109F000-memory.dmp

Filesize
4.4MB

Download
memory/2172-38-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2172-0-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2172-3-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2172-31-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/2172-74-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2172-4-0x0000000000400000-0x0000000000C35000-memory.dmp

Filesize
8.2MB

Download
memory/2220-73-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/2220-71-0x0000000001E30000-0x00000000020FB000-memory.dmp

Filesize
2.8MB

Download
memory/2220-75-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/2220-67-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/2220-78-0x0000000001E30000-0x00000000020FB000-memory.dmp

Filesize
2.8MB

Download
memory/2220-80-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download
memory/2220-82-0x0000000000400000-0x0000000001BAC000-memory.dmp

Filesize
23.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads