4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57

General

Target

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
Size

179KB
MD5

98a799292c19a8c66ca9644e10f7446a
SHA1

29387fc643e7e01fa1a5cec718b1e784d8248825
SHA256

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57
SHA512

73ad05fb47220219dbbf200704015c5d309ead4df5474dab839bc1f7968302c7757553f2cf22b4637ce2e0d2d6ec8995a370530aed79e216d5b79f00ca26891a
SSDEEP

3072:XXTTASJKf2n5AxE2NpxOa2XdU2QF4s5XgIDFyHb8kHofL/09rGB:XvASJKenie2xT2NU2OTFQb8Fb0IB

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with aPLib. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000840000-0x0000000000870000-memory.dmp	INDICATOR_EXE_Packed_aPLib
behavioral1/memory/2076-270-0x0000000000840000-0x0000000000870000-memory.dmp	INDICATOR_EXE_Packed_aPLib

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\F604D4~1.EXE"	svchost.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Eset\Nod	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	svchost.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

description	pid	process	target process
PID 2076 set thread context of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe
2252	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe

description	pid	process	target process
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2252	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	svchost.exe
PID 2076 wrote to memory of 2352	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 2076 wrote to memory of 2352	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 2076 wrote to memory of 2352	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe
PID 2076 wrote to memory of 2352	2076	4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe
"C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\svchost.exe
  C:\ProgramData\f604d4fj2.exe
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\phlEA56.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\4489807521e3507dc2955009ecfd2ec9e2545ad0d4958cd85c52442a450e6e57.exe""
  2⤵
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\phlEA56.tmp.bat

Filesize
35B

MD5
d36f6dfc8a95338e43a07ff47d0b9825

SHA1
5d167e2630e909af7a4ad4d7834346e562ae2820

SHA256
855e7677f6210ec52cf77332234b62520a9910585e12cb6f6fdecd4c2884db52

SHA512
f3cdf76acdfd396dd768c1487040fc450191737afe0244f70e50675b5152480eefb5e8bd2e63e97c6d33999bf4ad64c312aeda2db09f108fb64abd9ba46ee8f7

Download Submit
memory/2076-0-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/2076-270-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/2252-7-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2252-11-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-10-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-9-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-8-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-5-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-4-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2252-6-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-304-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-308-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2252-302-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-309-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-311-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-314-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-310-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-319-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-323-0x0000000000200000-0x0000000000276000-memory.dmp

Filesize
472KB

Download
memory/2252-325-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads