7ba917d53b989bf4ab2731c4fbbe78dfbf7e04ddd58a011e52fdcb86ca929222

General

Target

ad9af3371c3dfd5314342e3b3757494d.exe
Size

4KB
MD5

ad9af3371c3dfd5314342e3b3757494d
SHA1

145db4d30904f2d76b41efa689c7fcf9a21ece7f
SHA256

7ba917d53b989bf4ab2731c4fbbe78dfbf7e04ddd58a011e52fdcb86ca929222
SHA512

87ad9b802ab1aa634083232f41c5e9bb904deb150b1155f7c8b733fee539932514d25d6c2e45d321c78bf565a568aa9293820e8ac61ca491347f3ce6ff528e44
SSDEEP

48:a6pBA188CevVemz5bESso1ii7wtYpstXplsTZ2j+holIIToqM/mthvGowRl/7hxB:hc18STQaii7/pobsW+KGIlsvBphX2

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "C:\\Windows\\system32\\inetsrv\\start.vbs"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	ad9af3371c3dfd5314342e3b3757494d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	ad9af3371c3dfd5314342e3b3757494d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "C:\\Windows\\system32\\inetsrv\\start.vbs"	ad9af3371c3dfd5314342e3b3757494d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	svchost.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	cmd.exe
2052	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\inetsrv\svchost.exe	ad9af3371c3dfd5314342e3b3757494d.exe
File opened for modification	C:\Windows\SysWOW64\inetsrv\start.vbs	svchost.exe
File created	C:\Windows\SysWOW64\inetsrv\svchost.exe	svchost.exe
File created	C:\Windows\SysWOW64\inetsrv\start.vbs	ad9af3371c3dfd5314342e3b3757494d.exe
File created	C:\Windows\SysWOW64\inetsrv\svchost.exe	ad9af3371c3dfd5314342e3b3757494d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2192	2696	ad9af3371c3dfd5314342e3b3757494d.exe	28
PID 2696 wrote to memory of 2192	2696	ad9af3371c3dfd5314342e3b3757494d.exe	28
PID 2696 wrote to memory of 2192	2696	ad9af3371c3dfd5314342e3b3757494d.exe	28
PID 2696 wrote to memory of 2192	2696	ad9af3371c3dfd5314342e3b3757494d.exe	28
PID 2696 wrote to memory of 2052	2696	ad9af3371c3dfd5314342e3b3757494d.exe	29
PID 2696 wrote to memory of 2052	2696	ad9af3371c3dfd5314342e3b3757494d.exe	29
PID 2696 wrote to memory of 2052	2696	ad9af3371c3dfd5314342e3b3757494d.exe	29
PID 2696 wrote to memory of 2052	2696	ad9af3371c3dfd5314342e3b3757494d.exe	29
PID 2052 wrote to memory of 2904	2052	cmd.exe	31
PID 2052 wrote to memory of 2904	2052	cmd.exe	31
PID 2052 wrote to memory of 2904	2052	cmd.exe	31
PID 2052 wrote to memory of 2904	2052	cmd.exe	31
PID 2904 wrote to memory of 2556	2904	svchost.exe	32
PID 2904 wrote to memory of 2556	2904	svchost.exe	32
PID 2904 wrote to memory of 2556	2904	svchost.exe	32
PID 2904 wrote to memory of 2556	2904	svchost.exe	32
PID 2904 wrote to memory of 2036	2904	svchost.exe	33
PID 2904 wrote to memory of 2036	2904	svchost.exe	33
PID 2904 wrote to memory of 2036	2904	svchost.exe	33
PID 2904 wrote to memory of 2036	2904	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\ad9af3371c3dfd5314342e3b3757494d.exe
"C:\Users\Admin\AppData\Local\Temp\ad9af3371c3dfd5314342e3b3757494d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c delas.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\inetsrv\svchost.exe
    C:\Windows\system32\inetsrv\svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c delas.bat
      4⤵
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delas.bat

Filesize
131B

MD5
3339e31bcb4a5125b84f110076c4d10b

SHA1
31d29dd380cd426714ff57ebd3f8c76e7ead41b8

SHA256
eac22da7324489fe79fb20c9ba41823a4f3f48b14bdeef6be220d74802dc213c

SHA512
5983b3257021a633847b5871df83bbd1a853c48facdb1b87a0dd08e8c0967905e12e5a0f01191d5a8f58a216e1369e9c16bdf7f09f0b7ba5ffa23c45e99c4d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\delas.bat

Filesize
100B

MD5
638bf1e292c2f677d4b8ad02a82c92bf

SHA1
ae4fc049718d1080acedf22bc09d5bb6ca9ff02c

SHA256
59b2b243060eae6ee9d73fc1c3613b00121823a0aa2d55bb8c1b7315cd95ccde

SHA512
42b8461eb5894ed48493e0eaf1007d6236af87043bfc173333623fca51314df83d67e120a0d5bf1e10d28111ba035090eef8b57d2622dd68f9c8705a66fd24b4

Download Submit
C:\Windows\SysWOW64\inetsrv\start.vbs

Filesize
112B

MD5
b1d9ca5c82b90fe4037c189ba50efa1e

SHA1
f55e234934271d4633ab04e01cf40936bc539f2e

SHA256
1be457ee2d173dd2dac772a484f762cbb405fdd72133c1651fe0a61424377f0a

SHA512
38e4f3d54de3ffa3d115ba5e0aa81d37fa1761030f9685b779be48f5d57cc50646b3a9cd7e4af06411d732843e3ff246cede7643497312a099ce6113fd846d8d

Download Submit
\Windows\SysWOW64\inetsrv\svchost.exe

Filesize
4KB

MD5
ad9af3371c3dfd5314342e3b3757494d

SHA1
145db4d30904f2d76b41efa689c7fcf9a21ece7f

SHA256
7ba917d53b989bf4ab2731c4fbbe78dfbf7e04ddd58a011e52fdcb86ca929222

SHA512
87ad9b802ab1aa634083232f41c5e9bb904deb150b1155f7c8b733fee539932514d25d6c2e45d321c78bf565a568aa9293820e8ac61ca491347f3ce6ff528e44

Download Submit
memory/2036-33-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2052-14-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2696-0-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2696-10-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2904-26-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads