ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef

General

Target

4b72ceffb22961df25fe29ef382135c1.exe
Size

139KB
MD5

4b72ceffb22961df25fe29ef382135c1
SHA1

d4427e586c86ad5ac354226dc9214bfe281901d5
SHA256

ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef
SHA512

d76879fa4d2b4ede8a1a397b047a4e776e8c9b05320f2b3fa9fe4b0db940f0f62a06c8c87a09aa473e8ab8e217ed8b00eec513a2022fc0070291098f0f01daa1
SSDEEP

3072:PnrngFXURgNRurhgZ3NNCbIpNmyuZ0te4aY/GC9bETB5Ldt2193/w:PrgFXUfkY6sH/4aTT2193o

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4188 netsh.exe

pid	process
4188	netsh.exe

Drops startup file 4 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exedfedfb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bstur.exe	4b72ceffb22961df25fe29ef382135c1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bstur.exe	4b72ceffb22961df25fe29ef382135c1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bstur.exe	dfedfb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bstur.exe	dfedfb.exe

Executes dropped EXE 2 IoCs

Processes:

dfedfb.exedfedfb.exe

pid process

1280 dfedfb.exe
420 dfedfb.exe

pid	process
1280	dfedfb.exe
420	dfedfb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dfedfb.exe4b72ceffb22961df25fe29ef382135c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqsmwrhn = "C:\\Users\\Admin\\AppData\\Local\\dfedfb.exe"	dfedfb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqsmwrhn = "C:\\Users\\Admin\\AppData\\Local\\dfedfb.exe"	dfedfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqsmwrhn = "C:\\Users\\Admin\\AppData\\Local\\dfedfb.exe"	4b72ceffb22961df25fe29ef382135c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqsmwrhn = "C:\\Users\\Admin\\AppData\\Local\\dfedfb.exe"	4b72ceffb22961df25fe29ef382135c1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exedfedfb.exe

description	pid	process	target process
PID 3992 set thread context of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 1280 set thread context of 420	1280	dfedfb.exe	dfedfb.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exe4b72ceffb22961df25fe29ef382135c1.exedfedfb.exe

description	pid	process	target process
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3992 wrote to memory of 3812	3992	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3812 wrote to memory of 4188	3812	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3812 wrote to memory of 4188	3812	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3812 wrote to memory of 4188	3812	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3812 wrote to memory of 1280	3812	4b72ceffb22961df25fe29ef382135c1.exe	dfedfb.exe
PID 3812 wrote to memory of 1280	3812	4b72ceffb22961df25fe29ef382135c1.exe	dfedfb.exe
PID 3812 wrote to memory of 1280	3812	4b72ceffb22961df25fe29ef382135c1.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe
PID 1280 wrote to memory of 420	1280	dfedfb.exe	dfedfb.exe

C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
"C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
3⤵
- Modifies Windows Firewall
PID:4188

C:\Users\Admin\AppData\Local\dfedfb.exe
"C:\Users\Admin\AppData\Local\dfedfb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\dfedfb.exe
C:\Users\Admin\AppData\Local\dfedfb.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dfedfb.exe
Filesize
139KB

MD5
4b72ceffb22961df25fe29ef382135c1

SHA1
d4427e586c86ad5ac354226dc9214bfe281901d5

SHA256
ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef

SHA512
d76879fa4d2b4ede8a1a397b047a4e776e8c9b05320f2b3fa9fe4b0db940f0f62a06c8c87a09aa473e8ab8e217ed8b00eec513a2022fc0070291098f0f01daa1

Download Submit
memory/420-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-51-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-64-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-53-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-61-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-60-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-65-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/420-55-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1280-39-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/1280-42-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/3812-29-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3812-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3812-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3812-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3992-16-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3992-8-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3992-14-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/3992-18-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads