607ff350ae960c0b213e4df37b5a4ad5b236fedf18e2f45ef42382ba63f54bfe

General

Target

b41e3ca9b8ff7f2a66333d06ad3ad535.exe
Size

47KB
MD5

b41e3ca9b8ff7f2a66333d06ad3ad535
SHA1

7024b13209f696bad39c75971f18bde654065b4d
SHA256

607ff350ae960c0b213e4df37b5a4ad5b236fedf18e2f45ef42382ba63f54bfe
SHA512

1a88ad3753f5c17523f1225ee2821a0f70f08c690845bd51a9366530a0b8328118f069c4a9d140de485566e47be84423fff4e67a39185290fa29c7b3cb31b93f
SSDEEP

768:MByHffoqbZLy0rrJo7MvfoF+e2g8g48w9qUeu/uAENVPOr1NPYcv51X7:MBaffoqbZmSo4le2g8gBUZGAENMLJ5F7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b41e3ca9b8ff7f2a66333d06ad3ad535.exe"	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_16a14542b63c02af\swenum.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urschipidea.inf_amd64_78ad1c14e33df968\urschipidea.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ufxchipidea.inf_amd64_1c78775fffab6a0a\UfxChipidea.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrd.inf_amd64_81fbd405ff2470fc\vrd.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\genericusbfn.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
File created	C:\Windows\System32\DriverStore\FileRepository\uefi.inf_amd64_c1628ffa62c8e54c\UEFI.sys	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 4204 set thread context of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe
1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 392 wrote to memory of 4204	392	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	95
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 4204 wrote to memory of 1600	4204	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	96
PID 1600 wrote to memory of 800	1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	10
PID 1600 wrote to memory of 4804	1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	98
PID 1600 wrote to memory of 4804	1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	98
PID 1600 wrote to memory of 4804	1600	b41e3ca9b8ff7f2a66333d06ad3ad535.exe	98

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe
"C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe
  "C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe
    "C:\Users\Admin\AppData\Local\Temp\b41e3ca9b8ff7f2a66333d06ad3ad535.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" %1
      4⤵
      PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4392 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msdump150auro.tmp

Filesize
2KB

MD5
3880aef024abe7cca3ecb15767f421d0

SHA1
926a21081dd46c9b45b167f3a546289dd0fc7a70

SHA256
af98bc11be94606f859b595fdd977f904c3cba2a48017fdcf54c3b6170534811

SHA512
f0f5acee55bb65d0e26d9e89e118c9399347bfcd56039e140af904aa5dffe519c13bff47bc1bfa08163ddab1b6712e6867f18379b878a7623b4b1d030a26c15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdl6C27.tmp

Filesize
6KB

MD5
4a5d40779b2c672e6c77881260f26637

SHA1
1dd8a52d38df5412243341e0232bc4ba4ce25324

SHA256
293dbcc1e11c7bb384910870ea566eed55831439e929e9d83cf8c738c361fee3

SHA512
28c8959225adaa065935bcb72523c02a80d2e57dc029df2ef8a4b346647c6b9747ea62990732f04b5c960c5d35c592840faf3cfdb6d8d9b6d766eed92380e709

Download Submit
memory/1600-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1600-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4204-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4204-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4204-6-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4204-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads