a582fccd5a016774f4d79fd5f4525bc5cb8977febbd7f46b5df34b5afc1bf32f

General

Target

cbc0e74c2908c074ab402b83351a007c.exe
Size

373KB
MD5

cbc0e74c2908c074ab402b83351a007c
SHA1

3ee2ec6b7aca22aa2c4b8a616f07b4edb13b3af1
SHA256

a582fccd5a016774f4d79fd5f4525bc5cb8977febbd7f46b5df34b5afc1bf32f
SHA512

cba05be39521216bb2deb73410c854274bbfa93fcd5d9afbcc86a4276b7c108f65d2835f298de0645bfdcf326e0a137e850ab5d1ee62407d95f6f1fdd9f5dd8a
SSDEEP

6144:+4AIrKm6YvgysddoRAwFij4RxXgxOm0miaYZc0h4zIjrYmN146Rrl:vymJvgysd2+AXXUR7iaYh5jrb1RJ

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll16.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cbc0e74c2908c074ab402b83351a007c.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2604	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2588	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	cbc0e74c2908c074ab402b83351a007c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2520	2972	cbc0e74c2908c074ab402b83351a007c.exe	28
PID 2972 wrote to memory of 2520	2972	cbc0e74c2908c074ab402b83351a007c.exe	28
PID 2972 wrote to memory of 2520	2972	cbc0e74c2908c074ab402b83351a007c.exe	28
PID 2972 wrote to memory of 2520	2972	cbc0e74c2908c074ab402b83351a007c.exe	28
PID 2520 wrote to memory of 2588	2520	cmd.exe	30
PID 2520 wrote to memory of 2588	2520	cmd.exe	30
PID 2520 wrote to memory of 2588	2520	cmd.exe	30
PID 2520 wrote to memory of 2588	2520	cmd.exe	30
PID 2520 wrote to memory of 2604	2520	cmd.exe	31
PID 2520 wrote to memory of 2604	2520	cmd.exe	31
PID 2520 wrote to memory of 2604	2520	cmd.exe	31
PID 2520 wrote to memory of 2604	2520	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\cbc0e74c2908c074ab402b83351a007c.exe
"C:\Users\Admin\AppData\Local\Temp\cbc0e74c2908c074ab402b83351a007c.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IMPORTANT_AUTOSAVE.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /f /v rundll16.dll /d C:\Users\Admin\AppData\Local\Temp\cbc0e74c2908c074ab402b83351a007c.exe
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMPORTANT_AUTOSAVE.cmd

Filesize
195B

MD5
709ffb94359a25e49bcf88f623aa8c1c

SHA1
accf8daab523d569e5444d43f1eaba0b5b38de9c

SHA256
06179735acf8d8669b3e8eb79566691b07aa9dee2adad283a183751cd8a3d205

SHA512
27942f41f62eb0961e51ae6dc0217032b5f3201fb353787de8652d826529d9ad9f62b8e200f4f7bb56a79b22fdb9c55e29db0a4b30f97d7407c20d2d21225403

Download Submit
memory/2972-16-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-19-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-11-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-12-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-13-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-17-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-15-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-18-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-1-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2972-20-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-21-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-22-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2972-23-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads