565b5245923df1b3a7c2ad37d674baf269f9ad456467029e77a300d48f447280

General

Target

ProM.exe
Size

1.0MB
MD5

b2772ab90871a25d574876336c016d6a
SHA1

d47f0d75e135ad711812f8df79389f06e05395a7
SHA256

565b5245923df1b3a7c2ad37d674baf269f9ad456467029e77a300d48f447280
SHA512

c6d80f7eb9d248cdb2f36c80e093e0ae8b1e19d645beae14b396c89e125888600092c9f5212529f326323cf72e65074a522b14d8fadca00a4ff2fe796188c6d9
SSDEEP

24576:QDWHSb4N2UskiHcd5MH4DWmTxwOxFzPqrweFXRy7rYvzR4BV:784tiEXr1HOnhRy7rYaBV

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Process Monitor64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Process Monitor64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS"	Process Monitor64.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	ProM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Process Monitor.exe

Executes dropped EXE 2 IoCs

pid	Process
2736	Process Monitor.exe
760	Process Monitor64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\shell	Process Monitor64.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Process Monitor64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\promon\\Process Monitor.exe\",0"	Process Monitor64.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\.PML	Process Monitor64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\.PML\ = "ProcMon.Logfile.1"	Process Monitor64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\ = "ProcMon 日志文件"	Process Monitor64.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\shell\open\command	Process Monitor64.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\shell\open	Process Monitor64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\promon\\Process Monitor.exe\" /OpenLog \"%1\""	Process Monitor64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process Monitor.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\ProcMon.Logfile.1	Process Monitor64.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
760	Process Monitor64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	Process Monitor64.exe
Token: SeLoadDriverPrivilege	760	Process Monitor64.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2736	3892	ProM.exe	85
PID 3892 wrote to memory of 2736	3892	ProM.exe	85
PID 3892 wrote to memory of 2736	3892	ProM.exe	85
PID 2736 wrote to memory of 760	2736	Process Monitor.exe	87
PID 2736 wrote to memory of 760	2736	Process Monitor.exe	87

C:\Users\Admin\AppData\Local\Temp\ProM.exe
"C:\Users\Admin\AppData\Local\Temp\ProM.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3892
- C:\promon\Process Monitor.exe
  "C:\promon\Process Monitor.exe" /quiet /accepteula
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\Process Monitor64.exe
    "C:\Users\Admin\AppData\Local\Temp\Process Monitor64.exe" /quiet /accepteula /originalpath "C:\promon\Process Monitor.exe"
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Process Monitor64.exe

Filesize
1.1MB

MD5
b6aa887d7b5b1962b1232d3a6c945a0f

SHA1
dbadf4a9aafb45bd28b99ea5b3ef69c03d6612b5

SHA256
606d703b9c480f3ac43c5364679ce3e297937540b8097b923e1fb39e62b1f915

SHA512
9ca4f80d913bfc3514fd1014e3b899cc6a881592ed96114f2fbc21cfa06ceca7e52a84c494d3c8cec85f6f921658028d00a7a6dba91127e673409e4634856394

Download Submit
C:\promon\Process Monitor.exe

Filesize
2.1MB

MD5
bf8355539cc7d788116447d0d59e3207

SHA1
8b8cc802559f7ba41662e683e9893cbef5060535

SHA256
bf3ef822a858bfd2262e14acf4d953eca700623c83f64c2f684fd7ccaf9d19aa

SHA512
c858924898b8c8e775cfc591238783e6364322c350593b966880983591e897206862ab7bb55efdf048c14ae158aaeda4d707ff86a39e24da07d933bae01d6002

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads