8da89f21bbe42dc665f8a5d847dd5c17bf4d3a7e2f926a0f358cb110918b5605

General

Target

45859de656995230ddc7381ec70864d2.exe
Size

26KB
MD5

45859de656995230ddc7381ec70864d2
SHA1

904e9f93f09f8f0d6b065df8c504af46f32ab794
SHA256

8da89f21bbe42dc665f8a5d847dd5c17bf4d3a7e2f926a0f358cb110918b5605
SHA512

429a61933aa5b3e18f7006e2e8a859ad529712cfe4dd891a6d9a8fb08776a00c2d731a2d1aa03161bd5ab73dabbfddbeeed570896aa708ba30d52d5081fc2550
SSDEEP

384:pjjZfqKUCFIbqvpHobrGCcchbt0XhP0ft4Or/JuBxZ3q//flNKp4qPHauu:pftH8bqvMi1chbt0Xhcft4Kh0CHCPHe

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	45859de656995230ddc7381ec70864d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Program Files (x86)\\Microsoft Common\\svchost.exe"	45859de656995230ddc7381ec70864d2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Program Files (x86)\\Microsoft Common\\svchost.exe"	45859de656995230ddc7381ec70864d2.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys	45859de656995230ddc7381ec70864d2.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	45859de656995230ddc7381ec70864d2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4908	45859de656995230ddc7381ec70864d2.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Common\svchost.exe	45859de656995230ddc7381ec70864d2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	45859de656995230ddc7381ec70864d2.exe
4908	45859de656995230ddc7381ec70864d2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	45859de656995230ddc7381ec70864d2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 796	4908	45859de656995230ddc7381ec70864d2.exe	89
PID 4908 wrote to memory of 3944	4908	45859de656995230ddc7381ec70864d2.exe	91
PID 4908 wrote to memory of 3944	4908	45859de656995230ddc7381ec70864d2.exe	91
PID 4908 wrote to memory of 3944	4908	45859de656995230ddc7381ec70864d2.exe	91

C:\Users\Admin\AppData\Local\Temp\45859de656995230ddc7381ec70864d2.exe
"C:\Users\Admin\AppData\Local\Temp\45859de656995230ddc7381ec70864d2.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" %1
  2⤵
  PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rdlBD64.tmp

Filesize
6KB

MD5
7df440c6360a99ceddab532ecef57b74

SHA1
9800ed200b3b48d93e859c9f830ee36e9125951a

SHA256
e8ecda9973e8853a15de08fe1e04d287ff316ffac5513b65f45a95681d914061

SHA512
8286052f3a9a7b048dfced8975c36d573f36647ba9c6c3689ef3c8b52ce47ca7ef67b3a5b7c1d8d684146ad23efab4923c4c8f4f90719c1aa2ea210985f53e5c

Download Submit
memory/4908-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-1-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/4908-4-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-19-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-47-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-48-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4908-49-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads