60d6feb199655e718bf555a66fc0d6f6e90aa4737d99dff87ed14af7582510e1

General

Target

467b94897c9c9e08b4a45bb5592dd1ba.exe
Size

269KB
MD5

467b94897c9c9e08b4a45bb5592dd1ba
SHA1

ab547a89f86ff41fa25bc56be80c2b55c96149a6
SHA256

60d6feb199655e718bf555a66fc0d6f6e90aa4737d99dff87ed14af7582510e1
SHA512

f6a9554cf3dea4c57d53702d2fc18b4f0b114053566f2f1cb36951fd80069b02587ccf863221855a4580c03cf5dc3f7d700a53313205f622dba13758441154cd
SSDEEP

6144:IvzhLdjyLIykyd7u2w405nWHOfNW3aJISl7Scsy:Wdjy6ydHunWugq9l7L

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	cli.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe
2152	467b94897c9c9e08b4a45bb5592dd1ba.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2788	explorer.exe
Token: SeShutdownPrivilege	2788	explorer.exe
Token: SeShutdownPrivilege	2788	explorer.exe
Token: SeShutdownPrivilege	2788	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2708	2152	467b94897c9c9e08b4a45bb5592dd1ba.exe	30
PID 2152 wrote to memory of 2708	2152	467b94897c9c9e08b4a45bb5592dd1ba.exe	30
PID 2152 wrote to memory of 2708	2152	467b94897c9c9e08b4a45bb5592dd1ba.exe	30
PID 2152 wrote to memory of 2708	2152	467b94897c9c9e08b4a45bb5592dd1ba.exe	30

C:\Users\Admin\AppData\Local\Temp\467b94897c9c9e08b4a45bb5592dd1ba.exe
"C:\Users\Admin\AppData\Local\Temp\467b94897c9c9e08b4a45bb5592dd1ba.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\cli.exe
  "C:\Users\Admin\AppData\Local\cli.exe" -gav C:\Users\Admin\AppData\Local\Temp\467b94897c9c9e08b4a45bb5592dd1ba.exe
  2⤵
  - Executes dropped EXE
  PID:2708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cli.exe

Filesize
3KB

MD5
d7016bb0177ca46221f76603a39a9b7d

SHA1
8359de1ed67af8e3c242f39166f2977a68022477

SHA256
df155645e72c05f73554076d5f24b95c3d912d453bfa358cb4e85906ac76adfe

SHA512
ac0f5d83f07efb7466420e24af71017a119d11673bb56e22064fd75a6d7a626e5881a062a8f2c7a47184cadaff77aba955265b7bc8815640c9a3511fe3325d75

Download Submit
C:\Users\Admin\AppData\Local\cli.exe

Filesize
34KB

MD5
d9e6ddb4e5d5006fb4d0b99227411319

SHA1
3477f0425fc8ee85cdc0207fcf30392a6e674a51

SHA256
b4b20193639a8083dcce509a6d563c5f7f79b322ebd32ee1d86c300cfb84db48

SHA512
f57161db30e26b6621e2c5406c2247c3fedc7535cadda6c17855a47042c0270100262878559381b63032b532af1a8a14cc6670de4a1d0efad153ecaad8e73f0d

Download Submit
\Users\Admin\AppData\Local\cli.exe

Filesize
34KB

MD5
84cc28504a36a170fa64aa9c872d5e1c

SHA1
6cff343d24c8b8822cf88d59aa0da13611863a09

SHA256
7860279ca6b473cce6f4554ea81d72a1f8401edbb3e27a4bb5642973ae5397f4

SHA512
1d6220a066246005689867d5bd6d1cd3a087fb9a340537b9b3868f40aca3afff6a65699b809bbf336d6275781aee941c73028f0f0d211f40ae7afb1fe8f131f7

Download Submit
\Users\Admin\AppData\Local\cli.exe

Filesize
92KB

MD5
e9401fe05e61274d4078ee690f284525

SHA1
b8797a667c618b965bfb635dfa6c49d972bb3527

SHA256
5945d5236880ae56b9c24d1c0f1d047046403692f050c95a508a650a92452520

SHA512
a9f8720d66ca607052e9c45772fa1c1de802fdeaed5493de9d7c8073acccec1b6dd3713a2c18442ba07efde4e6a7638078bc333e2b4c47159c3aab414ccb2d5d

Download Submit
memory/2152-1-0x0000000001E00000-0x000000000220E000-memory.dmp

Filesize
4.1MB

Download
memory/2152-0-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2152-12-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2152-3-0x0000000001C10000-0x0000000001D2D000-memory.dmp

Filesize
1.1MB

Download
memory/2152-2-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2708-14-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2708-13-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2708-16-0x0000000000400000-0x0000000000462F10-memory.dmp

Filesize
395KB

Download
memory/2708-17-0x0000000001EF0000-0x00000000022FE000-memory.dmp

Filesize
4.1MB

Download
memory/2788-15-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2788-19-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2788-33-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads