e100c00854561eff2b0d3eff75053e670b3af5784bb6452b9b18d2235f7a6d0b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e887ca2d7423d0ce508efa58b8ccbf.exe
Size

436KB
MD5

53e887ca2d7423d0ce508efa58b8ccbf
SHA1

5afc9a083a7c3857f67877582f68f6c31c945cf8
SHA256

e100c00854561eff2b0d3eff75053e670b3af5784bb6452b9b18d2235f7a6d0b
SHA512

a2bc298b9237a06cfec914de2effc7112b02acbd33bd952fd4efcd03e7799803629633ea140e4c2b95568a900d970d3581ebc994bca34a7ab7d069f4139e9943
SSDEEP

6144:TsKGuCZdA50cRzoN+03GDf1DGZH7hvqMsuwTot1Y6GREDUAUqWueQcha20WWqL:bmHAlZa+03GDWvL5w8t1YzRQYecs20Wd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4392	InstallHelper.exe
4428	InstallHelper.exe
3444	InstallHelper.exe
1340	McciCMService.exe
4496	InstallHelper.exe
4040	McciCMService.exe

Loads dropped DLL 1 IoCs

pid	Process
2348	53e887ca2d7423d0ce508efa58b8ccbf.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe	53e887ca2d7423d0ce508efa58b8ccbf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe	53e887ca2d7423d0ce508efa58b8ccbf.exe
File created	C:\Program Files (x86)\Common Files\Motive\McciCMService.exe	53e887ca2d7423d0ce508efa58b8ccbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Motive\Rainier\Logger	McciCMService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	McciCMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Motive	McciCMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Motive\Rainier	McciCMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Motive\Rainier\Logger	McciCMService.exe

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\0	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\LocalServer32	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\FLAGS\ = "0"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager.1\CLSID	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\TypeLib	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\VersionIndependentProgID	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager\CLSID\ = "{0E647B13-A4B6-4453-BE76-A23FDF11114A}"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\VersionIndependentProgID\ = "McciCMService.McciComponentManager"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\ = "McciCMService 1.0 Type Library"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\0\win32	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{601252B4-A5D7-4B92-B95C-7AB85B57D347}\LocalService = "McciCMService"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ProxyStubClsid32	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\McciCMService.EXE\AppID = "{601252B4-A5D7-4B92-B95C-7AB85B57D347}"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager\ = "McciComponentManager Class"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\ProgID\ = "McciCMService.McciComponentManager.1"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Motive\\McciCMService.exe"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib\ = "{EB16A060-1490-443D-A9A2-4A12A2FC8036}"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{601252B4-A5D7-4B92-B95C-7AB85B57D347}\ = "McciCMService"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\Motive\\McciCMService.exe\""	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager.1\CLSID\ = "{0E647B13-A4B6-4453-BE76-A23FDF11114A}"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\ = "McciComponentManager Class"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\ProgID	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\FLAGS	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\HELPDIR	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{601252B4-A5D7-4B92-B95C-7AB85B57D347}	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib\Version = "1.0"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib\ = "{EB16A060-1490-443D-A9A2-4A12A2FC8036}"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ = "IMcciComponentManager"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager.1\ = "McciComponentManager Class"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager\CLSID	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EB16A060-1490-443D-A9A2-4A12A2FC8036}\1.0\HELPDIR\	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\TypeLib\Version = "1.0"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\McciCMService.EXE	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\AppID = "{601252B4-A5D7-4B92-B95C-7AB85B57D347}"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E647B13-A4B6-4453-BE76-A23FDF11114A}\TypeLib\ = "{EB16A060-1490-443D-A9A2-4A12A2FC8036}"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager\CurVer	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager\CurVer\ = "McciCMService.McciComponentManager.1"	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\McciCMService.McciComponentManager.1	McciCMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ProxyStubClsid32	McciCMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{717B3C5A-2F6F-44FC-8A20-960B9AE246EE}\ = "IMcciComponentManager"	McciCMService.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	McciCMService.exe
Token: SeTcbPrivilege	1340	McciCMService.exe
Token: SeDebugPrivilege	4040	McciCMService.exe
Token: SeTcbPrivilege	4040	McciCMService.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4392	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	91
PID 2348 wrote to memory of 4392	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	91
PID 2348 wrote to memory of 4392	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	91
PID 2348 wrote to memory of 4428	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	92
PID 2348 wrote to memory of 4428	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	92
PID 2348 wrote to memory of 4428	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	92
PID 2348 wrote to memory of 3444	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	93
PID 2348 wrote to memory of 3444	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	93
PID 2348 wrote to memory of 3444	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	93
PID 3444 wrote to memory of 1340	3444	InstallHelper.exe	96
PID 3444 wrote to memory of 1340	3444	InstallHelper.exe	96
PID 3444 wrote to memory of 1340	3444	InstallHelper.exe	96
PID 2348 wrote to memory of 4496	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	95
PID 2348 wrote to memory of 4496	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	95
PID 2348 wrote to memory of 4496	2348	53e887ca2d7423d0ce508efa58b8ccbf.exe	95

C:\Users\Admin\AppData\Local\Temp\53e887ca2d7423d0ce508efa58b8ccbf.exe
"C:\Users\Admin\AppData\Local\Temp\53e887ca2d7423d0ce508efa58b8ccbf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe
  "C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe" /predefinedallaccess /Platform=WIN32
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe
  "C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe" /addlegacy= /Platform=WIN32
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe
  "C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe" /registercmservice /Platform=WIN32
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
    "C:\Program Files (x86)\Common Files\Motive\McciCMService.exe" /Service
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe
  "C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe" /startcmservice /Platform=WIN32
  2⤵
  - Executes dropped EXE
  PID:4496

C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
"C:\Program Files (x86)\Common Files\Motive\McciCMService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe

Filesize
295KB

MD5
e20461dde78feda4470a8251cf8b1444

SHA1
354c1c24c74e694bd94186045d2e82ee5addd23b

SHA256
cc21d8625456f8b354305e8d1e41bbe20c7a9159703cc93ec56914359846f546

SHA512
d8e29bbe626df45f55f23cc750b4157f7b72d928c257e42a0292cea4a67ca21137633046e38219f5a141d17c639be050672bac824cc5bcf984d0ac46a5437381

Download Submit
C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe

Filesize
270KB

MD5
e1517f3fb3e2c618b686aa17d34aab02

SHA1
e4defd2b3378cd57c9c58f7c7de162558e770c52

SHA256
5ce38ee3bddde1c5abbd508e5ef0a288fd63ae4ae0d3fa7a2cc0e7db304789ed

SHA512
9401044c5b234069680395b1fcbf2655f52bf831f1bf061d521106571f4d8dff4906671861ca309f06eb05d595465d9f7cc17ffc5b540158f2fd182c441e6d64

Download Submit
C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe

Filesize
296KB

MD5
621f23ab6703f99b623df6a5600fa1fa

SHA1
d87e3fdd516dbc63d095653cde8ea4212c5846c7

SHA256
620d1dbcdd92d62b02b24570266c51ec6049e0880e8c006726685c0870da4528

SHA512
a30a353906c79636c03d6b9c97529103ddb1943557f58862edde19869c5507f497f73bf9b47d1278b94788c43330708f2d547fc050e58c663e23bfb0aa9828c3

Download Submit
C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe

Filesize
203KB

MD5
9d7128d36c9c3e924466d4f6b22207d1

SHA1
69474650b8b20a4f5af0c08ccb08b492a4b1ff03

SHA256
a9f248532568dfc1034baa26e29cd9e161dcc6d70e253ae2b9c5aca95baf43e9

SHA512
fe30f9e6242946e97e6071ca15bb1871e6b5b313fbdd965692cab11c2a9a2e5f2b9f01e0babdaa707418791862961b44f8bad51b2b2563f003b6df1833ecc921

Download Submit
C:\Program Files (x86)\Common Files\Motive\InstallHelper.exe

Filesize
370KB

MD5
73a5fae72a52534d81360e2a176c1d65

SHA1
8026a8a768b3e62f16ad9e57ab7d5ca385600561

SHA256
61ed943a9128a8605ef36ab1a58af4a50f7db64cbbad9097bb1cfc00f00c7315

SHA512
b45a8e79d32fdb84b1c433a0b7b0c7ae2fdcfc022a2b7016879463570994c63909478dbb28675ee78b5f537ab96ca82da9bf432062879c12964cdb26a4bf2b39

Download Submit
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe

Filesize
68KB

MD5
6eb75e034e14f7ce5bb5250137b450ce

SHA1
b708376220e7788b415daae62948f9b1e98718b9

SHA256
281131cc098324963dcd4e2bd4d7686351e10a99896e0fb17e4ebc06efaf1e6d

SHA512
c042031a055b720cf63e3b7ad628ebc21684be54d53bfe98d0c49127e5e0bc0ddcacc9a6b070e6162999c0e73308ba1d5e6ae5b72b43cab8c9ff028f02633c2d

Download Submit
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe

Filesize
312KB

MD5
e6cb119ef2e148eaa1a247343550756e

SHA1
951ef11504f74bd0e85128af53f0c54eb95b43f9

SHA256
11729fda2d41d00b43107391416651e674f23de21d398da299ffff61032a98d0

SHA512
7e6d8eb361965e1d84445e0b6464566cb7c69dc9e0d198233dd413dc8afe3fcc617991e8d3809863481910aef8e80b98b4cf52b1aaf72ec5831a70f0e029df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallHelper.exe

Filesize
75KB

MD5
9b75d4112cde6dc97f0b2cfc2cd43397

SHA1
d38bd2b277dfbe4606cb8d7ed6008e2f379458d6

SHA256
016daa1859faf8c968a3f200779f5001111b28c7ea2512b94db17b1075681524

SHA512
54bc9c72d63bf9e588b95dd1346c39534fe33f2e3463af8220bc529e2feccfd951f35caea9fb513472c9768e2f0da7d5f4d5b44761abe69e44e094aba5fa3a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso514E.tmp\NSISPlugin.dll

Filesize
572KB

MD5
975b6bb1e3004d70a2b25353d9b56b0d

SHA1
9825699e7788597e8a95fed9633adbc5c39e1881

SHA256
360bee988060680d217ef9f77fc402247c1b414b58440dcfed8aa95d01942a81

SHA512
897261a51a5911353e403d021ab71fe6dd2e369c01aa63eb6b14dec42617779626cee87711c033605ce28c85fc8625a51442cd86e6a90a0bdafed2c3c0727b70

Download Submit