711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4

General

Target

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
Size

40KB
MD5

14e89bb590360f5b84a0d085962926c0
SHA1

0d5d0738db41cc9ab2ca0d59ae066754c3975d7b
SHA256

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4
SHA512

ce0605600c3608466e6c11a50fcb31670c4064d369c4c6595eabb4226ddd0d0f46ac37eb6c2f6df231db3ac67fb91309c59ab41744faac00eb51a12a577f06ba
SSDEEP

768:yHPXwaMzQ/+Itw0HBsTBkbHrHXd4fCJcEHwzOx0vc:yvD/bsTB4bqh1vc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

Processes:

Admin.exe

pid process

2160 Admin.exe

pid	process
2160	Admin.exe

Loads dropped DLL 2 IoCs

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe

pid	process
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exe

pid	process
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2160	Admin.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe
2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160	Admin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exeAdmin.exe

pid process

2356 711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
2160 Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe

description	pid	process	target process
PID 2356 wrote to memory of 2160	2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe	Admin.exe
PID 2356 wrote to memory of 2160	2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe	Admin.exe
PID 2356 wrote to memory of 2160	2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe	Admin.exe
PID 2356 wrote to memory of 2160	2356	711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe	Admin.exe

C:\Users\Admin\AppData\Local\Temp\711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe
"C:\Users\Admin\AppData\Local\Temp\711962329659043cc6ad7284ac9a5346092287d3a22de71e89aa8af6774d8fd4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\Admin.exe
"C:\Users\Admin\Admin.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Admin.exe
Filesize
40KB

MD5
43dc8c13c047bc9aebfe86cf603fdada

SHA1
81e0c5542ae2627b901aba192b44a5197501551c

SHA256
7d210d5aa163b540caeb8584151b330ff19f59e18456ab9b5658bac13464d99b

SHA512
1c9a3c9d86f1da67bad4316291ec85baae1a5f19207d08a38e43d85135f23a4883dd30ef782fd5c50239b10904033186c6118a8f229facad2376b7d6e7347611

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads