16449ddb6b1d88368da42175a126041d24b90d1498760e8e12dd340ed30f5666

General

Target

8c9ee2556eb31f2b7608c54b335f5e39.exe
Size

139KB
MD5

8c9ee2556eb31f2b7608c54b335f5e39
SHA1

82f3f250019e361bf90f7b2d649ecd55634460e1
SHA256

16449ddb6b1d88368da42175a126041d24b90d1498760e8e12dd340ed30f5666
SHA512

2279b0fe536f287f895385628c58d3668417b3d51a62f32fc50187e92377b7cfae79587195175c79bab87538c522fbf2819683b76995d71e2f7b06e75de9d67a
SSDEEP

3072:JMTdQO2oWRrMu4Ubc6mFG/SyTOSd0+uZRpQNnJSKa4PO8T:J41SVwDcdTddbMLQNnza+T

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2812	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iffef.exe	8c9ee2556eb31f2b7608c54b335f5e39.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iffef.exe	8c9ee2556eb31f2b7608c54b335f5e39.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iffef.exe	krpmrk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iffef.exe	krpmrk.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	krpmrk.exe
2660	krpmrk.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	8c9ee2556eb31f2b7608c54b335f5e39.exe
2220	8c9ee2556eb31f2b7608c54b335f5e39.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lddvjcdq = "C:\\Users\\Admin\\AppData\\Local\\krpmrk.exe"	krpmrk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\lddvjcdq = "C:\\Users\\Admin\\AppData\\Local\\krpmrk.exe"	krpmrk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lddvjcdq = "C:\\Users\\Admin\\AppData\\Local\\krpmrk.exe"	8c9ee2556eb31f2b7608c54b335f5e39.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\lddvjcdq = "C:\\Users\\Admin\\AppData\\Local\\krpmrk.exe"	8c9ee2556eb31f2b7608c54b335f5e39.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 2976 set thread context of 2660	2976	krpmrk.exe	31

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 3024 wrote to memory of 2220	3024	8c9ee2556eb31f2b7608c54b335f5e39.exe	28
PID 2220 wrote to memory of 2812	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	29
PID 2220 wrote to memory of 2812	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	29
PID 2220 wrote to memory of 2812	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	29
PID 2220 wrote to memory of 2812	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	29
PID 2220 wrote to memory of 2976	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	30
PID 2220 wrote to memory of 2976	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	30
PID 2220 wrote to memory of 2976	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	30
PID 2220 wrote to memory of 2976	2220	8c9ee2556eb31f2b7608c54b335f5e39.exe	30
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31
PID 2976 wrote to memory of 2660	2976	krpmrk.exe	31

C:\Users\Admin\AppData\Local\Temp\8c9ee2556eb31f2b7608c54b335f5e39.exe
"C:\Users\Admin\AppData\Local\Temp\8c9ee2556eb31f2b7608c54b335f5e39.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\8c9ee2556eb31f2b7608c54b335f5e39.exe
  C:\Users\Admin\AppData\Local\Temp\8c9ee2556eb31f2b7608c54b335f5e39.exe
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2812
- - C:\Users\Admin\AppData\Local\krpmrk.exe
    "C:\Users\Admin\AppData\Local\krpmrk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\krpmrk.exe
      C:\Users\Admin\AppData\Local\krpmrk.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\krpmrk.exe

Filesize
134KB

MD5
ffe089cec521df4c363c118c1c831027

SHA1
7a6fd22b305bdcfb595e3d71cf8da5cf20ca980e

SHA256
7d0fb88bd07bcf60b2a03dce9c43303425d192b0de3bf9179895d088cfa84351

SHA512
112c7a8e25616c3918ebb3efde90224db031e7126f89b2a522d7db8b2a3e6a508261fcaec656f334bfa13c5e094b380843913132a4fab4e9c2a008232fe48617

Download Submit
\Users\Admin\AppData\Local\krpmrk.exe

Filesize
139KB

MD5
8c9ee2556eb31f2b7608c54b335f5e39

SHA1
82f3f250019e361bf90f7b2d649ecd55634460e1

SHA256
16449ddb6b1d88368da42175a126041d24b90d1498760e8e12dd340ed30f5666

SHA512
2279b0fe536f287f895385628c58d3668417b3d51a62f32fc50187e92377b7cfae79587195175c79bab87538c522fbf2819683b76995d71e2f7b06e75de9d67a

Download Submit
memory/2220-38-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2220-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-74-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-82-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-75-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-77-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-79-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2660-80-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2976-66-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/3024-14-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads