9affd5767d8dfca4eacbd784c705e794ba0e84c6f800f5db54cc6e6462fd33ae

General

Target

7bab1e52e363808e714cd6bd40b2abdb.exe
Size

196KB
MD5

7bab1e52e363808e714cd6bd40b2abdb
SHA1

ccc41dc1d7f9046803afb9270e46e2417f9dffcc
SHA256

9affd5767d8dfca4eacbd784c705e794ba0e84c6f800f5db54cc6e6462fd33ae
SHA512

a165f5744be90ebb906f8598dc266a7ee8da1871e901b757a8feb8809d4b30a237c6d7292cde49e7c8fc1f602af61be9148afa5f5342c1b7ac119cdf3a53962f
SSDEEP

3072:3jz72q/WK0bhEAYVLZ+gkvFo61pLbTOPqWj2VkqdJVZhdkL0rdeU2RyUbl:Tn2O10bZgio619OSW6VxkL0rx2Jp

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Server IIS\Parameters\ServiceDll = "C:\\Windows\\system32\\System64.dll"	7bab1e52e363808e714cd6bd40b2abdb.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System64.dat	7bab1e52e363808e714cd6bd40b2abdb.exe
File created	C:\Windows\SysWOW64\System64.dll	7bab1e52e363808e714cd6bd40b2abdb.exe
File created	C:\Windows\SysWOW64\KMe.bat	7bab1e52e363808e714cd6bd40b2abdb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1568	2172	7bab1e52e363808e714cd6bd40b2abdb.exe	28
PID 2172 wrote to memory of 1568	2172	7bab1e52e363808e714cd6bd40b2abdb.exe	28
PID 2172 wrote to memory of 1568	2172	7bab1e52e363808e714cd6bd40b2abdb.exe	28
PID 2172 wrote to memory of 1568	2172	7bab1e52e363808e714cd6bd40b2abdb.exe	28
PID 1568 wrote to memory of 2728	1568	7bab1e52e363808e714cd6bd40b2abdb.exe	30
PID 1568 wrote to memory of 2728	1568	7bab1e52e363808e714cd6bd40b2abdb.exe	30
PID 1568 wrote to memory of 2728	1568	7bab1e52e363808e714cd6bd40b2abdb.exe	30
PID 1568 wrote to memory of 2728	1568	7bab1e52e363808e714cd6bd40b2abdb.exe	30

C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe
"C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe
  C:\Users\Admin\AppData\Local\Temp\7bab1e52e363808e714cd6bd40b2abdb.exe -Nod32
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\KMe.bat
    3⤵
    - Deletes itself
    PID:2728

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netservice
1⤵
- Loads dropped DLL
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KMe.bat

Filesize
86B

MD5
08dbc88559153e25c1c270ff560b78c3

SHA1
2e5543095a0fde6bc19d9aaf9509c886c7ac1888

SHA256
c67b66815822ef5ed2034b1e055cc7bd0bf0baa7de372f5ac104179016f2e83c

SHA512
2bc14ac0e794561bf1125aba62b5345ee60feb2dbc1f78f89c9da2c5fa14c0009adb5488e5ca30284958c662baa8dce0733a9878550657cf4fd8972103262abe

Download Submit
C:\Windows\SysWOW64\System64.dat

Filesize
162B

MD5
9d79c36a32c496b4eab94f41fdbcafe3

SHA1
fb54bc76b9278278fc6b3ff80b2d4051ee48f1aa

SHA256
755f39cf6ab09cc5a744badd333788673730753cd675053259b792e0d8659058

SHA512
45862b88ab588414b5949db64af3c3a56234d79bd1a55923b9792cd2e742ad4c50088f38fcd3bd738ff62647c2fded4dd265e16fd54d72755260d27a940c6cd3

Download Submit
\Windows\SysWOW64\System64.dll

Filesize
350KB

MD5
03b916047d02feed651d439f9e400278

SHA1
6461a866bf5656eeb56131da5e8135ff995a281b

SHA256
89b66dcd8e9bd28fda16bc11f085074c24b135a16768c52bbe3a41938875b6e8

SHA512
f463e44bf1b8bac11702b78ad156032c0178a4b9c246788813bd50d54da8b2d2c46ea0ac966571f218ae7befe86b266874e2ade440aaf87183d433a8c0794f85

Download Submit
memory/1568-2-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1568-15-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2172-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2172-0-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2780-21-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-25-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-20-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-14-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-22-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-23-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-24-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-19-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2780-26-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-27-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-28-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-29-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-30-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-31-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-32-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download
memory/2780-33-0x0000000000280000-0x00000000002DE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads