810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2

General

Target

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
Size

248KB
MD5

d1f07c905d2c43bbcdea50865ba1d339
SHA1

293af802fa872d5dda872543fbf86a77a0f14a64
SHA256

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2
SHA512

acce0cf5d358f1f2f9bf1cbebae71072db07e2138fdad146acf332c8d711ea35e883d09981b121870c80e89aa127a0ebe259a04d017c538bbee938bbb4675fa8
SSDEEP

6144:GaLo6CHVhucTtjFg8UAD000332HjL8kwrniR3vDGObbV:GWo6UugFg8Ps32DLgIT5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

lodcayed.exechkntugc.exe~4B90.tmp

pid process

1332 lodcayed.exe
1492 chkntugc.exe
4392 ~4B90.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cacltreq = "C:\\Users\\Admin\\AppData\\Roaming\\Netpsmon\\lodcayed.exe"	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

Drops file in System32 directory 1 IoCs

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description ioc process

File created C:\Windows\SysWOW64\chkntugc.exe 810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

552 4472 WerFault.exe 810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\chkntugc.exe	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

pid	pid_target	process	target process
552	4472	WerFault.exe	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lodcayed.exeExplorer.EXEchkntugc.exe

pid	process
1332	lodcayed.exe
1332	lodcayed.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
1492	chkntugc.exe
3480	Explorer.EXE
1492	chkntugc.exe
3480	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

lodcayed.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1332	lodcayed.exe
Token: SeShutdownPrivilege	3480	Explorer.EXE
Token: SeCreatePagefilePrivilege	3480	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3480 Explorer.EXE

pid	process
3480	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exelodcayed.exe~4B90.tmp

description	pid	process	target process
PID 4472 wrote to memory of 1332	4472	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	lodcayed.exe
PID 4472 wrote to memory of 1332	4472	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	lodcayed.exe
PID 4472 wrote to memory of 1332	4472	810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe	lodcayed.exe
PID 1332 wrote to memory of 4392	1332	lodcayed.exe	~4B90.tmp
PID 1332 wrote to memory of 4392	1332	lodcayed.exe	~4B90.tmp
PID 4392 wrote to memory of 3480	4392	~4B90.tmp	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3480

C:\Users\Admin\AppData\Local\Temp\810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe
"C:\Users\Admin\AppData\Local\Temp\810028a166226b95b0ec8c31176f243560151aa526096da183f291dee26350b2.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Roaming\Netpsmon\lodcayed.exe
"C:\Users\Admin\AppData\Roaming\Netpsmon"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\~4B90.tmp
3480 254472 1332 1
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 624
3⤵
- Program crash
PID:552

C:\Windows\SysWOW64\chkntugc.exe
C:\Windows\SysWOW64\chkntugc.exe -s
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~4B90.tmp
Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
C:\Users\Admin\AppData\Roaming\Netpsmon\lodcayed.exe
Filesize
248KB

MD5
8d6cc60f274db01354e4fea82284f99b

SHA1
c693dc8b5b9cb85dba48cb407074fe0b2b1ba0b7

SHA256
47e722a4242112be48dcffbe96b89fd318f1901755381a9803ea9a47166d4c82

SHA512
7f5788d70254ae1b484553d54b68021278ae3b87610a25cd0889448da126b248ff0b1753245f65a9d82524b2fdc9b868016232e420c56baa1c3aee5f63b56285

Download Submit
memory/1332-14-0x0000000001460000-0x0000000001466000-memory.dmp

Filesize
24KB

Download
memory/1332-8-0x0000000000FB0000-0x0000000000FF8000-memory.dmp

Filesize
288KB

Download
memory/1332-7-0x0000000000E40000-0x0000000000E82000-memory.dmp

Filesize
264KB

Download
memory/1492-29-0x0000000000EE0000-0x0000000000EE6000-memory.dmp

Filesize
24KB

Download
memory/1492-13-0x00000000007B0000-0x00000000007F2000-memory.dmp

Filesize
264KB

Download
memory/1492-34-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/1492-15-0x0000000000990000-0x00000000009D8000-memory.dmp

Filesize
288KB

Download
memory/1492-16-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/1492-23-0x0000000000E40000-0x0000000000E46000-memory.dmp

Filesize
24KB

Download
memory/3480-19-0x0000000003450000-0x000000000349E000-memory.dmp

Filesize
312KB

Download
memory/3480-28-0x0000000003450000-0x000000000349E000-memory.dmp

Filesize
312KB

Download
memory/3480-31-0x0000000003520000-0x000000000352D000-memory.dmp

Filesize
52KB

Download
memory/3480-30-0x0000000003030000-0x0000000003036000-memory.dmp

Filesize
24KB

Download
memory/4472-1-0x0000000000D80000-0x0000000000DC8000-memory.dmp

Filesize
288KB

Download
memory/4472-0-0x0000000000DD0000-0x0000000000E12000-memory.dmp

Filesize
264KB

Download
memory/4472-32-0x0000000000D80000-0x0000000000DC8000-memory.dmp

Filesize
288KB

Download
memory/4472-33-0x0000000000DD0000-0x0000000000E12000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads