85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef

General

Target

85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Size

1.0MB
MD5

f00dcb903268d40952f112f1e5e3e92b
SHA1

faca7d57ece3cad3015139640ef27ba7400b482e
SHA256

85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef
SHA512

0aacf32e2684e9949f07c1bb49c8379bafa035b86824c0398861a38820f92d806c9bf8d36930662f4ba0848df304af3ebbb688f387f7e2546d1843e0882d4082
SSDEEP

6144:clkgi0e+Kqj6aYD+uUOszAOLjLlP+r0UPdWv:JCe+Kqv0szvfU1Q

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	4528	rundll32.exe
5	4528	rundll32.exe
9	4528	rundll32.exe
10	4528	rundll32.exe
19	4528	rundll32.exe
23	4528	rundll32.exe
24	4528	rundll32.exe
25	4528	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
424	cleanmgr.exe
4528	rundll32.exe

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	cleanmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	cleanmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disk Cleanup = "C:\\Windows\\SysWow64\\cleanmgr.exe /verylowdisk"	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	cleanmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	cleanmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Wow6432Node	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\WOW6432Node\CLSID\{8369AB20-56C9-11D0-94E8-00AA0059CE02}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CleanUp.dll"	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
424	cleanmgr.exe
424	cleanmgr.exe
4528	rundll32.exe
4528	rundll32.exe
4528	rundll32.exe
4528	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 424	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	73
PID 924 wrote to memory of 424	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	73
PID 924 wrote to memory of 424	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	73
PID 924 wrote to memory of 1284	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	74
PID 924 wrote to memory of 1284	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	74
PID 924 wrote to memory of 1284	924	85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe	74
PID 424 wrote to memory of 4528	424	cleanmgr.exe	76
PID 424 wrote to memory of 4528	424	cleanmgr.exe	76
PID 424 wrote to memory of 4528	424	cleanmgr.exe	76

C:\Users\Admin\AppData\Local\Temp\85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe
"C:\Users\Admin\AppData\Local\Temp\85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe"
1⤵
- Registers COM server for autorun
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\SysWOW64\cleanmgr.exe" /verylowdisk
  2⤵
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CleanUp.dll,DiskCleaner
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\85ec36e3d25cad7c455ef48ee613acdb732476a8e6b690c3b1850844f83680ef.exe > nul
  2⤵
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CleanUp.dll

Filesize
736KB

MD5
cc08609b2a7d80e3b15e9d132ad9cc8b

SHA1
060ab8f7f4309bac7a0404aa84a4dd213b9733dd

SHA256
b1228c370d6c3e02c7adc0c0bbacb0ab20f23ebadb8625404592277fdabdc6c8

SHA512
13039a7ba22ebb75605c2c4d6706fc2e443d8a5e652a14d109b3bde38e84fc0e8dfeeb7d569f3e1240bb559903d02c32e37fcdaf329615d928a2f32d6ed013d1

Download Submit
memory/424-4-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/424-5-0x0000000010000000-0x0000000010079000-memory.dmp

Filesize
484KB

Download
memory/424-16-0x0000000004B90000-0x0000000004BA3000-memory.dmp

Filesize
76KB

Download
memory/4528-17-0x00000000023C0000-0x00000000023D3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads