e57492476a722bdf2e149084614ecb809e46981b0f6e894b435fd10c837868b2

General

Target

63a6e3a33bb1693078924c828c18435a.exe
Size

3.1MB
MD5

63a6e3a33bb1693078924c828c18435a
SHA1

15f1a8782d3baba906367c4633b4e807616b0e39
SHA256

e57492476a722bdf2e149084614ecb809e46981b0f6e894b435fd10c837868b2
SHA512

0bbca836bd9026228fd2648585e654422125460422bee2df529b789ed747a914e9a43709cf68e3cacd5869f2edd9606310f87ac81e0ae587a0eca86ae209dd44
SSDEEP

98304:4CqKOvyKY3QYu1c4aj22s017tvTojHfMqg39h:ZOyKYAYu32sitboj0qsh

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2248	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Uses Session Manager for persistence 2 TTPs 3 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows32 = "C:\\windows\\system\\win.exe"	63a6e3a33bb1693078924c828c18435a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\reg_0001.txt	63a6e3a33bb1693078924c828c18435a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\system\win.exe	63a6e3a33bb1693078924c828c18435a.exe
File opened for modification	C:\windows\system\win.exe	63a6e3a33bb1693078924c828c18435a.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4376	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4808	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	63a6e3a33bb1693078924c828c18435a.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4808	1228	63a6e3a33bb1693078924c828c18435a.exe	100
PID 1228 wrote to memory of 4808	1228	63a6e3a33bb1693078924c828c18435a.exe	100
PID 1228 wrote to memory of 4808	1228	63a6e3a33bb1693078924c828c18435a.exe	100
PID 1228 wrote to memory of 4376	1228	63a6e3a33bb1693078924c828c18435a.exe	99
PID 1228 wrote to memory of 4376	1228	63a6e3a33bb1693078924c828c18435a.exe	99
PID 1228 wrote to memory of 4376	1228	63a6e3a33bb1693078924c828c18435a.exe	99
PID 1228 wrote to memory of 2836	1228	63a6e3a33bb1693078924c828c18435a.exe	98
PID 1228 wrote to memory of 2836	1228	63a6e3a33bb1693078924c828c18435a.exe	98
PID 1228 wrote to memory of 2836	1228	63a6e3a33bb1693078924c828c18435a.exe	98
PID 1228 wrote to memory of 1628	1228	63a6e3a33bb1693078924c828c18435a.exe	96
PID 1228 wrote to memory of 1628	1228	63a6e3a33bb1693078924c828c18435a.exe	96
PID 1228 wrote to memory of 1628	1228	63a6e3a33bb1693078924c828c18435a.exe	96
PID 1228 wrote to memory of 2468	1228	63a6e3a33bb1693078924c828c18435a.exe	94
PID 1228 wrote to memory of 2468	1228	63a6e3a33bb1693078924c828c18435a.exe	94
PID 1228 wrote to memory of 2468	1228	63a6e3a33bb1693078924c828c18435a.exe	94
PID 1228 wrote to memory of 2248	1228	63a6e3a33bb1693078924c828c18435a.exe	92
PID 1228 wrote to memory of 2248	1228	63a6e3a33bb1693078924c828c18435a.exe	92
PID 1228 wrote to memory of 2248	1228	63a6e3a33bb1693078924c828c18435a.exe	92

C:\Users\Admin\AppData\Local\Temp\63a6e3a33bb1693078924c828c18435a.exe
"C:\Users\Admin\AppData\Local\Temp\63a6e3a33bb1693078924c828c18435a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\windows\system\win.exe RPCCC
  2⤵
  - Modifies Windows Firewall
  PID:2248
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2468
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet002\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:1628
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\Session manager" /v BootExecute /t REG_MULTI_SZ /d "autocheck autochk *" /f
  2⤵
  - Uses Session Manager for persistence
  PID:2836
- C:\Windows\SysWOW64\sc.exe
  sc delete GbpSv
  2⤵
  - Launches sc.exe
  PID:4376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn startt /tr c:\autoexec.bat /sc onstart /ru system
  2⤵
  - Creates scheduled task(s)
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Create or Modify System Process

2

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows\system\win.exe

Filesize
1.8MB

MD5
e915afb01673ccdaad9ccae03cf36466

SHA1
c3ea4bd65c934715038a94f2254123b629dd621f

SHA256
cbf6b9b6f86bc51d226028e197f857e125328e296982229e6271831bbfb5aa18

SHA512
b63eab43f2657c5229d87bb01ac2939c475023b7cada62e669b2c62a80d3d29055896fa0f39929c2d7eb988b4291903bef86a266e1597b140a1e461bf66d38db

Download Submit
memory/1228-12-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-2-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1228-1-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-6-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-7-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-8-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-9-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-10-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1228-0-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-11-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-15-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-14-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-13-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-16-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-17-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-18-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-19-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-20-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-21-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download
memory/1228-22-0x0000000000400000-0x0000000000A89000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads