88dad4e9505af471bf884f15967336c2194ae882d62abe87582cc37453e955a8

General

Target

3a14ba03fcd9de0d13bc25886a404889.exe
Size

36KB
MD5

3a14ba03fcd9de0d13bc25886a404889
SHA1

e7af049047040baf5894326bbf89699ec26c439e
SHA256

88dad4e9505af471bf884f15967336c2194ae882d62abe87582cc37453e955a8
SHA512

f32ceb0d2db669774ef1e1fee3b31b3cbba43dc8d05463ef8715856cf2acbc214bd7a86f60fdd1975984bc9e9dfdbf81d95b6f5c9a7e215b7ae062521cf7cf10
SSDEEP

768:1IMOrAsxTthJ1ytul5UEHYwZJfUahdmy1AePz4G7fr93:1MPthJUtaHYwZ/fz4mf

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	3a14ba03fcd9de0d13bc25886a404889.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Program Files (x86)\\Microsoft Common\\wuauclt.exe"	3a14ba03fcd9de0d13bc25886a404889.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Program Files (x86)\\Microsoft Common\\wuauclt.exe"	3a14ba03fcd9de0d13bc25886a404889.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	3a14ba03fcd9de0d13bc25886a404889.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	3a14ba03fcd9de0d13bc25886a404889.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2208	2364	WerFault.exe	14
3368	2364	WerFault.exe	14
2452	2364	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	3a14ba03fcd9de0d13bc25886a404889.exe
2364	3a14ba03fcd9de0d13bc25886a404889.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	3a14ba03fcd9de0d13bc25886a404889.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 792	2364	3a14ba03fcd9de0d13bc25886a404889.exe	8
PID 2364 wrote to memory of 824	2364	3a14ba03fcd9de0d13bc25886a404889.exe	58
PID 2364 wrote to memory of 824	2364	3a14ba03fcd9de0d13bc25886a404889.exe	58
PID 2364 wrote to memory of 824	2364	3a14ba03fcd9de0d13bc25886a404889.exe	58

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3a14ba03fcd9de0d13bc25886a404889.exe
"C:\Users\Admin\AppData\Local\Temp\3a14ba03fcd9de0d13bc25886a404889.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  PID:824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 576
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 484
  2⤵
  - Program crash
  PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 556
  2⤵
  - Program crash
  PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2364 -ip 2364
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2364 -ip 2364
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rdl6A81.tmp

Filesize
6KB

MD5
4269bcbda7827f86dbe389b05dba8bda

SHA1
ecd560dc0da013cdee39778b5adcdb6cbe8685d2

SHA256
ad176598a6f1e3350878b9b2e5af4cb6d5ead9745d12cae5e94a50ea2b3e0321

SHA512
4197bb4a5da76f0a919a737e982512fc3e1b3d52bb19bcbf5e3bba5a31ac429a24370b6c9b33544a098ec7dfbb114b8c9ec783e39017b8e49410aaee141bf1e5

Download Submit
memory/2364-0-0x0000000000410000-0x0000000000429000-memory.dmp

Filesize
100KB

Download
memory/2364-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2364-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2364-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2364-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads