810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2

General

Target

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
Size

248KB
MD5

d1f07c905d2c43bbcdea50865ba1d339
SHA1

293af802fa872d5dda872543fbf86a77a0f14a64
SHA256

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2
SHA512

acce0cf5d358f1f2f9bf1cbebae71072db07e2138fdad146acf332c8d711ea35e883d09981b121870c80e89aa127a0ebe259a04d017c538bbee938bbb4675fa8
SSDEEP

6144:GaLo6CHVhucTtjFg8UAD000332HjL8kwrniR3vDGObbV:GWo6UugFg8Ps32DLgIT5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

bitsfmon.exe~D4A.tmpRegicont.exe

pid process

2380 bitsfmon.exe
2292 ~D4A.tmp
2616 Regicont.exe

Loads dropped DLL 3 IoCs

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exebitsfmon.exe

pid	process
2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
2380	bitsfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Regidctr = "C:\\Users\\Admin\\AppData\\Roaming\\ciphpugc\\bitsfmon.exe"	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

Drops file in System32 directory 1 IoCs

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description ioc process

File created C:\Windows\SysWOW64\Regicont.exe 810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2060 2956 WerFault.exe 810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Regicont.exe	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

pid	pid_target	process	target process
2060	2956	WerFault.exe	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bitsfmon.exeExplorer.EXERegicont.exe

pid	process
2380	bitsfmon.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE
2616	Regicont.exe
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bitsfmon.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 2380 bitsfmon.exe
Token: SeShutdownPrivilege 1380 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2380	bitsfmon.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exebitsfmon.exe~D4A.tmp

description	pid	process	target process
PID 2956 wrote to memory of 2380	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	bitsfmon.exe
PID 2956 wrote to memory of 2380	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	bitsfmon.exe
PID 2956 wrote to memory of 2380	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	bitsfmon.exe
PID 2956 wrote to memory of 2380	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	bitsfmon.exe
PID 2380 wrote to memory of 2292	2380	bitsfmon.exe	~D4A.tmp
PID 2380 wrote to memory of 2292	2380	bitsfmon.exe	~D4A.tmp
PID 2380 wrote to memory of 2292	2380	bitsfmon.exe	~D4A.tmp
PID 2380 wrote to memory of 2292	2380	bitsfmon.exe	~D4A.tmp
PID 2292 wrote to memory of 1380	2292	~D4A.tmp	Explorer.EXE
PID 2956 wrote to memory of 2060	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	WerFault.exe
PID 2956 wrote to memory of 2060	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	WerFault.exe
PID 2956 wrote to memory of 2060	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	WerFault.exe
PID 2956 wrote to memory of 2060	2956	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Local\Temp\810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
"C:\Users\Admin\AppData\Local\Temp\810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Roaming\ciphpugc\bitsfmon.exe
"C:\Users\Admin\AppData\Roaming\ciphpugc"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\~D4A.tmp
1380 254472 2380 1
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 252
3⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\Regicont.exe
C:\Windows\SysWOW64\Regicont.exe -s
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~D4A.tmp
Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
\Users\Admin\AppData\Roaming\ciphpugc\bitsfmon.exe
Filesize
248KB

MD5
1d4b5dd3323b80ed9f00b07978ed5e8b

SHA1
f4b1da0957c6b77afa42d1e47c94ce925747e92e

SHA256
85c17e4a4e9f1bea1b065d9d09679d7da5ae808ff8fa7bdb2281d45cc09588e5

SHA512
deab752fc5ad926d2abcb3128ecfe73fc39b4331734725fd82e9eec747caea36b21ae0d31de29ab3b300a9ff2d2e7457ef1847800d24a4446dd1d76ec07ae41b

Download Submit
memory/1380-27-0x0000000002AC0000-0x0000000002ACD000-memory.dmp

Filesize
52KB

Download
memory/1380-25-0x00000000025C0000-0x00000000025C6000-memory.dmp

Filesize
24KB

Download
memory/1380-22-0x0000000002470000-0x00000000024BE000-memory.dmp

Filesize
312KB

Download
memory/1380-20-0x0000000002470000-0x00000000024BE000-memory.dmp

Filesize
312KB

Download
memory/1380-21-0x0000000002470000-0x00000000024BE000-memory.dmp

Filesize
312KB

Download
memory/2380-15-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/2380-16-0x0000000000210000-0x0000000000216000-memory.dmp

Filesize
24KB

Download
memory/2380-30-0x0000000001310000-0x0000000001352000-memory.dmp

Filesize
264KB

Download
memory/2616-32-0x0000000000140000-0x0000000000188000-memory.dmp

Filesize
288KB

Download
memory/2616-35-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2616-36-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2616-34-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2616-33-0x0000000001250000-0x0000000001292000-memory.dmp

Filesize
264KB

Download
memory/2616-39-0x0000000000140000-0x0000000000188000-memory.dmp

Filesize
288KB

Download
memory/2616-40-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2956-0-0x0000000000C20000-0x0000000000C62000-memory.dmp

Filesize
264KB

Download
memory/2956-11-0x0000000000B90000-0x0000000000BD2000-memory.dmp

Filesize
264KB

Download
memory/2956-1-0x0000000000300000-0x0000000000348000-memory.dmp

Filesize
288KB

Download
memory/2956-6-0x0000000000B90000-0x0000000000BD2000-memory.dmp

Filesize
264KB

Download
memory/2956-37-0x0000000000300000-0x0000000000348000-memory.dmp

Filesize
288KB

Download
memory/2956-38-0x0000000000B90000-0x0000000000BD2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads