5ff755dd230831c715301dd58ab12ba387d24bfc3e4b992576540fe27b7d1740

General

Target

463a8a60f35a3ae92b999f066a5faf61.exe
Size

38KB
MD5

463a8a60f35a3ae92b999f066a5faf61
SHA1

cb8bf11402b1f54b4a536ec8582dd82480563432
SHA256

5ff755dd230831c715301dd58ab12ba387d24bfc3e4b992576540fe27b7d1740
SHA512

8017415bad875987cd5a2f2747bdccf489f03b18a259518268491acf057de6babdafbc12f198b02f44fd05ee0c0c318a34c3d5c7962f129dd6c3d0f2f7a7e354
SSDEEP

768:OX2Up00Eya6faWD2U+cZBYPNt5y6r3saUBm4NpVs7NQX8EZAfbxm:ep00Ep6fGyBYFzy6r3KpVcC8t

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	463a8a60f35a3ae92b999f066a5faf61.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	463a8a60f35a3ae92b999f066a5faf61.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\$dpx$.tmp	wusa.exe
File created	C:\Windows\$dpx$.tmp\4c674ebea6068640b93b2e0257514dab.tmp	wusa.exe
File opened for modification	C:\Windows\linkinfo.dll	wusa.exe
File opened for modification	C:\Windows\$dpx$.tmp\job.xml	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2720	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe
Token: SeShutdownPrivilege	2656	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe
2656	explorer.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1168	2188	463a8a60f35a3ae92b999f066a5faf61.exe	28
PID 2188 wrote to memory of 1168	2188	463a8a60f35a3ae92b999f066a5faf61.exe	28
PID 2188 wrote to memory of 1168	2188	463a8a60f35a3ae92b999f066a5faf61.exe	28
PID 2188 wrote to memory of 1168	2188	463a8a60f35a3ae92b999f066a5faf61.exe	28
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2740	2188	463a8a60f35a3ae92b999f066a5faf61.exe	30
PID 2188 wrote to memory of 2720	2188	463a8a60f35a3ae92b999f066a5faf61.exe	31
PID 2188 wrote to memory of 2720	2188	463a8a60f35a3ae92b999f066a5faf61.exe	31
PID 2188 wrote to memory of 2720	2188	463a8a60f35a3ae92b999f066a5faf61.exe	31
PID 2188 wrote to memory of 2720	2188	463a8a60f35a3ae92b999f066a5faf61.exe	31
PID 2188 wrote to memory of 2656	2188	463a8a60f35a3ae92b999f066a5faf61.exe	34
PID 2188 wrote to memory of 2656	2188	463a8a60f35a3ae92b999f066a5faf61.exe	34
PID 2188 wrote to memory of 2656	2188	463a8a60f35a3ae92b999f066a5faf61.exe	34
PID 2188 wrote to memory of 2656	2188	463a8a60f35a3ae92b999f066a5faf61.exe	34
PID 2188 wrote to memory of 2124	2188	463a8a60f35a3ae92b999f066a5faf61.exe	36
PID 2188 wrote to memory of 2124	2188	463a8a60f35a3ae92b999f066a5faf61.exe	36
PID 2188 wrote to memory of 2124	2188	463a8a60f35a3ae92b999f066a5faf61.exe	36
PID 2188 wrote to memory of 2124	2188	463a8a60f35a3ae92b999f066a5faf61.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\463a8a60f35a3ae92b999f066a5faf61.exe
"C:\Users\Admin\AppData\Local\Temp\463a8a60f35a3ae92b999f066a5faf61.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe" C:\Users\Admin\AppData\Local\Temp\linkinfo.dll C:\Users\Admin\AppData\Local\Temp\98E5.tmp.cab
  2⤵
  PID:1168
- C:\Windows\SysWOW64\wusa.exe
  "C:\Windows\system32\wusa.exe" /quiet C:\Users\Admin\AppData\Local\Temp\98E5.tmp.cab /extract:C:\Windows\
  2⤵
  - Drops file in Windows directory
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\A0A4.tmp.bat
  2⤵
  - Deletes itself
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A0A4.tmp.bat

Filesize
236B

MD5
cd852f7d9c65639392b1263a5eebff2c

SHA1
ea65163ac438b99d20b715e7b1a04e1388a259d3

SHA256
91f541d51f42368685b6ffccee0cbb5be0bf8fa1303449d240526ffb77948195

SHA512
9ce4b005c2ca984e7e7a0a21af7614e21c3e5f38441e2eca8f75aa22b86cf2563d981b7e5f747655239dda38212138a883a1524d22610af2b6b99c37ea0a28ce

Download Submit
C:\Windows\LINKINFO.dll

Filesize
24KB

MD5
e2a7d8d7b1643a055fc769b40ede3dfe

SHA1
2c33f68f45bae3639feb2103df4a3c8cfaa330f3

SHA256
e24b1a9eba2320df5919cf11aacc5bc7c0b353f47fe0e9172f3617cee52933c9

SHA512
6944f9d65b457c45f825375825e424d6e667dfcf352c1fdf2f192f4752f9ef3179c0dd3b639925e59e85e80bc379f238a5941b9fb460ab42ed7379e710afa44a

Download Submit
memory/2188-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2188-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2188-27-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2656-30-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2656-31-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2656-35-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads