ca075adcc5423be5593de955e19ecedba3b99f45887e0412865f137bfd18d555

General

Target

3ea4252e1452dd305860829a8c586080.exe
Size

4.1MB
MD5

3ea4252e1452dd305860829a8c586080
SHA1

2a03733b26030e760f0fbf6a590b0e2ab5c46917
SHA256

ca075adcc5423be5593de955e19ecedba3b99f45887e0412865f137bfd18d555
SHA512

0688edb0f573550303c7772ea08b052006d7d50848fe49c422b66a1d12aa80e6515768fdbec35d420b900ee58688b554bdc364f0334b8bbd153e3755039cc05d
SSDEEP

98304:jTOhsfJwCcJnsgt1vdo08s2JpQpwh4Vlmfxl7K:jShKxcp99dIJpQp7LmW

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2768	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Uses Session Manager for persistence 2 TTPs 3 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\system.exe"	3ea4252e1452dd305860829a8c586080.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\autoconvv.RRI	3ea4252e1452dd305860829a8c586080.exe
File opened for modification	\??\c:\windows\SysWOW64\autoconvv.RRI	3ea4252e1452dd305860829a8c586080.exe
File created	C:\Windows\SysWOW64\reg_0001.txt	3ea4252e1452dd305860829a8c586080.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32AntiDelete	3ea4252e1452dd305860829a8c586080.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2484	sc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
356	3ea4252e1452dd305860829a8c586080.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2484	356	3ea4252e1452dd305860829a8c586080.exe	26
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2660	356	3ea4252e1452dd305860829a8c586080.exe	25
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2744	356	3ea4252e1452dd305860829a8c586080.exe	23
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2764	356	3ea4252e1452dd305860829a8c586080.exe	21
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17
PID 356 wrote to memory of 2768	356	3ea4252e1452dd305860829a8c586080.exe	17

C:\Users\Admin\AppData\Local\Temp\3ea4252e1452dd305860829a8c586080.exe
"C:\Users\Admin\AppData\Local\Temp\3ea4252e1452dd305860829a8c586080.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:356
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\windows\system\system.exe RPCCC
  2⤵
  - Modifies Windows Firewall
  PID:2768
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2744
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2660
- C:\Windows\SysWOW64\sc.exe
  sc delete GbpSv
  2⤵
  - Launches sc.exe
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/356-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-15-0x0000000074C50000-0x0000000074CA8000-memory.dmp

Filesize
352KB

Download
memory/356-18-0x0000000074C80000-0x0000000074C87000-memory.dmp

Filesize
28KB

Download
memory/356-17-0x0000000076120000-0x0000000076126000-memory.dmp

Filesize
24KB

Download
memory/356-16-0x0000000074C00000-0x0000000074C4F000-memory.dmp

Filesize
316KB

Download
memory/356-14-0x0000000075340000-0x000000007534C000-memory.dmp

Filesize
48KB

Download
memory/356-13-0x0000000077010000-0x0000000077100000-memory.dmp

Filesize
960KB

Download
memory/356-12-0x0000000077100000-0x000000007710A000-memory.dmp

Filesize
40KB

Download
memory/356-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/356-10-0x0000000075260000-0x0000000075269000-memory.dmp

Filesize
36KB

Download
memory/356-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-0-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-19-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-20-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/356-22-0x0000000077100000-0x000000007710A000-memory.dmp

Filesize
40KB

Download
memory/356-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/356-23-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-24-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-25-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-26-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-27-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-28-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-29-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-31-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-32-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-34-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download
memory/356-35-0x0000000000400000-0x00000000008F3000-memory.dmp

Filesize
4.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads