c8a31acc50c25a84b4e3f6e44e7bda4d415c0b7c63c30f103f3a42b73b8bacf0

General

Target

a2e666391e2ee9a66a8963dc2b91f347.exe
Size

40KB
MD5

a2e666391e2ee9a66a8963dc2b91f347
SHA1

a2d94b47dcdf28be4ba4e7d5000e227c499a5292
SHA256

c8a31acc50c25a84b4e3f6e44e7bda4d415c0b7c63c30f103f3a42b73b8bacf0
SHA512

3b8ba00b64313758cededde66178fe2f548b087edcd639145be39892ae3aa493e1ada216a0b59a01ab4453e77e7fb132dd8f11262e5ea721ec79d79fe2627c3b
SSDEEP

768:Gc/X9F7yRJu/qtyJx0HZZrVgZwiJdqHFJ62WUsiY+l6AD4DMgAGUI26fwc38+Fr:GoXHWsyHZjenwLhWUJQuHIrfwc3Rx

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\ImagePath = "C:\\Windows\\system32\\inertno.exe"	a2e666391e2ee9a66a8963dc2b91f347.exe

Executes dropped EXE 1 IoCs

pid	Process
428	BarClientServer.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	a2e666391e2ee9a66a8963dc2b91f347.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	a2e666391e2ee9a66a8963dc2b91f347.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\new1 = "0"	a2e666391e2ee9a66a8963dc2b91f347.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inertno.exe	a2e666391e2ee9a66a8963dc2b91f347.exe
File created	C:\Windows\SysWOW64\ttjj35.ini	a2e666391e2ee9a66a8963dc2b91f347.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BarClientServer.exe	a2e666391e2ee9a66a8963dc2b91f347.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3828	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
4168	a2e666391e2ee9a66a8963dc2b91f347.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4168	a2e666391e2ee9a66a8963dc2b91f347.exe
Token: SeSystemtimePrivilege	4168	a2e666391e2ee9a66a8963dc2b91f347.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4168	a2e666391e2ee9a66a8963dc2b91f347.exe
428	BarClientServer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 1160	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	92
PID 4168 wrote to memory of 1160	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	92
PID 4168 wrote to memory of 1160	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	92
PID 4168 wrote to memory of 428	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	94
PID 4168 wrote to memory of 428	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	94
PID 4168 wrote to memory of 428	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	94
PID 4168 wrote to memory of 2824	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	95
PID 4168 wrote to memory of 2824	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	95
PID 4168 wrote to memory of 2824	4168	a2e666391e2ee9a66a8963dc2b91f347.exe	95
PID 2824 wrote to memory of 3828	2824	cmd.exe	97
PID 2824 wrote to memory of 3828	2824	cmd.exe	97
PID 2824 wrote to memory of 3828	2824	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\a2e666391e2ee9a66a8963dc2b91f347.exe
"C:\Users\Admin\AppData\Local\Temp\a2e666391e2ee9a66a8963dc2b91f347.exe"
1⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\cacls.exe
  cacls.exe C:\Windows\system32\cmd.exe /e /t /g everyone:F
  2⤵
  PID:1160
- C:\Windows\BarClientServer.exe
  C:\Windows\BarClientServer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c echo ping 127.1 -n 3 >nul 2>nul >c:\2.bat&echo del "C:\Users\Admin\AppData\Local\Temp\a2e666391e2ee9a66a8963dc2b91f347.exe">>c:\2.bat&echo del c:\2.bat>>c:\2.bat&c:\2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1 -n 3
    3⤵
    - Runs ping.exe
    PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
110B

MD5
0dbc3eb183f61d7cb44c78916008547d

SHA1
35ebb6e163ec7d10bdea67fc70a38b48310745bf

SHA256
78215f98acd13bcf27055382af3079fdd879d190dff8eeb5e5c946b3933ee88c

SHA512
d8c9214ea3ab36e91016c3c16a6705ab049849ecd0ceffd580e1261dd81eb6191915fdf98be6c1fa06d9bc19426adefe2456e7e75706d90b0312e4ba57c31f0d

Download Submit
C:\Windows\BarClientServer.exe

Filesize
124KB

MD5
e44dbbebd34898cc746e5a11732b9921

SHA1
0cafdd64ffe4c38d4d596729f848e6359c19ad43

SHA256
91443d37664176166c242340e555487e9c59795012edc8fb92ea3d11c8b00e94

SHA512
fcc4c3a61c06057af236235c078cd32bb937c7e932950db7fbbd4555719a7a8af70b005c00092092003c9234fdd62b5feb352e9f5c6458808f09fc157a59640b

Download Submit
memory/4168-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4168-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4168-19-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads