5d00eaf75217bc5fe6fc6923bad3bd3a5248dfcfb59969a3a95bd82972713442

General

Target

Maxar.exe
Size

182.5MB
MD5

6fd5d31d607a212c6f7651c79e7655a3
SHA1

ddd18e208aff7b00a46e06f8d9485f81ff4221ea
SHA256

364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614
SHA512

ab9f749ee6eb0c9c2fd0f9f3f55be3d17835a1285af72f2dc1eef74a6191a6a988345b556d0ff76f9a59585e3cd56a724bec4389418b4748b2f72b7128b949a7
SSDEEP

786432:fcfVFSPTqkFfux1Kq0DsqEnz1XSY3v9XSIsmhidXposvHH7QdPA0mgErPrzlcEsp:EfzSPTqkGM16zsY3hSCKWsf7QggmzKEG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1948	Maxar.exe
1948	Maxar.exe
1948	Maxar.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\broker.exe = "C:\\Users\\Admin\\AppData\\Local\\broker.exe"	Maxar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.exe = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\System.exe"	Maxar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\host.exe = "C:\\Users\\Admin\\AppData\\Roaming\\host.exe"	Maxar.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Maxar.exe

C:\Users\Admin\AppData\Local\Temp\Maxar.exe
"C:\Users\Admin\AppData\Local\Temp\Maxar.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\.net\Maxar\U3dTN8CxsgtnCFkKQPxCbpoP9A0FDxI=\D3DCompiler_47_cor3.dll

Filesize
64KB

MD5
f7af9f360eeaa6c0d81626d17ab05fa9

SHA1
941a60cd6b1f5fc68576f12ae37608a7eaae8481

SHA256
62768301d3e2aa8be63282f10f15df686b946c3637ece6e9f79a9934cd91db65

SHA512
fe14e919e28e59aca159c9973df27b1fa0e8b08c729e64875891a2db688470dcb6e8acbbe1284dc132db532bcf7066c54f127b09e4e90b53c4b20e66e1ce4fb2

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Maxar\U3dTN8CxsgtnCFkKQPxCbpoP9A0FDxI=\PresentationNative_cor3.dll

Filesize
854KB

MD5
dc6e996e340d4ec621202aa2aefd1854

SHA1
6b9f08936dfa82cbf9c51334f9cbc9239e63bd44

SHA256
319a40bf941cf5c9ac2f58b1fd24fdff72e71713acd2f6b82ad3d21def59691b

SHA512
a2b824d1787082290bf36b63494871437746d54bbdde99c3cece6ef896ba3205ad6c010f6d58cda0111d4c4a7d14fb91feebcc1d692438aed80fb0a8464e1e44

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Maxar\U3dTN8CxsgtnCFkKQPxCbpoP9A0FDxI=\wpfgfx_cor3.dll

Filesize
136KB

MD5
a41fd1cdc089dfbde9392963c1a8c7d3

SHA1
ed08a30e228ded33a11583623db8a437f1dbd646

SHA256
e065733d83b6ee9f89aeb5b3fe44abea52aa830aaca0b8878a5f229c74e5cef7

SHA512
b7e6696a1b1756ba50bcac53f57e7f261b4047f6f29294118a683eb8dac918d6a0ee2eb732d332f2c53ad39a54d21efacc887af89dd17a4c6d60278e929ed67a

Download Submit
memory/1948-27-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/1948-59-0x0000000004110000-0x0000000004150000-memory.dmp

Filesize
256KB

Download
memory/1948-23-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/1948-6-0x0000000003160000-0x0000000003C80000-memory.dmp

Filesize
11.1MB

Download
memory/1948-31-0x00000000071B0000-0x00000000079F0000-memory.dmp

Filesize
8.2MB

Download
memory/1948-39-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/1948-43-0x0000000001F10000-0x0000000001F20000-memory.dmp

Filesize
64KB

Download
memory/1948-35-0x0000000006730000-0x00000000067B0000-memory.dmp

Filesize
512KB

Download
memory/1948-55-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/1948-63-0x0000000004180000-0x00000000041A0000-memory.dmp

Filesize
128KB

Download
memory/1948-67-0x00000000041E0000-0x0000000004210000-memory.dmp

Filesize
192KB

Download
memory/1948-19-0x0000000003F60000-0x00000000040C0000-memory.dmp

Filesize
1.4MB

Download
memory/1948-51-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/1948-15-0x0000000006390000-0x00000000065C0000-memory.dmp

Filesize
2.2MB

Download
memory/1948-47-0x0000000001F40000-0x0000000001F60000-memory.dmp

Filesize
128KB

Download
memory/1948-11-0x000000013F2F0000-0x000000013FC1C000-memory.dmp

Filesize
9.2MB

Download
memory/1948-10-0x00000000051D0000-0x0000000006150000-memory.dmp

Filesize
15.5MB

Download
memory/1948-167-0x000000000B3F0000-0x000000000B3FA000-memory.dmp

Filesize
40KB

Download
memory/1948-172-0x000000000B3F0000-0x000000000B3FA000-memory.dmp

Filesize
40KB

Download
memory/1948-192-0x000000000B950000-0x000000000B951000-memory.dmp

Filesize
4KB

Download
memory/1948-241-0x000000013F2F0000-0x000000013FC1C000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads