622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464

General

Target

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Size

22.1MB
MD5

eec7acb2566e097fd6b4315c16a83e8e
SHA1

c16df7bf24443f63b05bbe4cae7739eddb54bd1c
SHA256

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464
SHA512

7f68df8015f650963b1498c635260e0a22e33af520c8d8abc02d047a085964c486c5ea21307bb53dbb87d0e8ccf7a97f933b15044348ca49114b4b4baef7afb2
SSDEEP

196608:baXjzQFURtw0xOwM2g02RtwN7wq1W6HqULS8djZDTaNNeCKVP5ORsgQf4RtwST:IfQFeS0xPM2g5SN8qU6GOjQoxasPySST

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Immersive_Updater_CP_1.exeImmersive_Updater_CP_1.exe

pid process

2196 Immersive_Updater_CP_1.exe
2936 Immersive_Updater_CP_1.exe

pid	process
2196	Immersive_Updater_CP_1.exe
2936	Immersive_Updater_CP_1.exe

Loads dropped DLL 6 IoCs

Processes:

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe

pid	process
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe

Modifies registry class 8 IoCs

Processes:

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe\" \"%1\""	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.cpp1	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.cpp1\ = "ChasePlane_v1_Presets"	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\ = "ChasePlane v1 Presets"	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open\command	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ChasePlane_v1_Presets\shell\open	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exeImmersive_Updater_CP_1.exeImmersive_Updater_CP_1.exe

description	pid	process
Token: SeDebugPrivilege	1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
Token: SeDebugPrivilege	2196	Immersive_Updater_CP_1.exe
Token: SeDebugPrivilege	2936	Immersive_Updater_CP_1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe

description	pid	process	target process
PID 1428 wrote to memory of 2196	1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe	Immersive_Updater_CP_1.exe
PID 1428 wrote to memory of 2196	1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe	Immersive_Updater_CP_1.exe
PID 1428 wrote to memory of 2936	1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe	Immersive_Updater_CP_1.exe
PID 1428 wrote to memory of 2936	1428	622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe	Immersive_Updater_CP_1.exe

C:\Users\Admin\AppData\Local\Temp\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe
"C:\Users\Admin\AppData\Local\Temp\622b6a79d716e260085c2f4620c468f35a8f34c93afefef72ec9803ceb92f464.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe
"C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe" isready silent "chaseplane|null|C:\Users\Admin\AppData\Local\Temp"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe
"C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe" download silent "chaseplane|prod|C:\Users\Admin\AppData\Local\Temp"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Immersive_Updater_CP_1.exe.log

Filesize
2KB

MD5
7cfc32b57e4e56c20690515332517b6d

SHA1
f4cf7a52580a1c7d68f3874773855e4f1ae4c705

SHA256
7b11c494c05589bc52d358b64b78a4331a6f3c09763e659ee3a26e106f116e48

SHA512
86a0986fbe8b5bf9d66327af1857c2dab7c616f1c287397b25284946e1eb0802e257069c5d8754265786c123fc65a725a268a32476c4331d02929818d1a06da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e2f844d-613a-4e12-ae91-805483af6972\Microsoft.FlightSimulator.SimConnect.dll

Filesize
106KB

MD5
b9e0a00c2067cdf6b6e10a8f8225b3d0

SHA1
47f065036d771a560c4b3c52c4bb3cc04106f655

SHA256
68e153c1be4c24939dd0136052a22dde9c22e056ee6931bc2d5b408a508002c2

SHA512
854d07825549e0af96be8b70c1971460bbeacf9908e22bd642719359e5ac75f437ffeed47019f08704eb7b55283a1d5a93075b0e35276c6e31350b5a9ba22599

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e2f844d-613a-4e12-ae91-805483af6972\SlimDX.dll

Filesize
3.2MB

MD5
955ddb844ce2bf3d83990d0cfde4cd6a

SHA1
35da81e1decb21cb1c698035d5804379a0ebed21

SHA256
f23ec20aeaec149ba963d1fb03af3ea1585ccdf1ac207f315361a80ceaadcc05

SHA512
7392aeda6ef46458d5ecf8e56026c87fb37d46c2016ff39e988873ef8089abd1ec8ee976f4e23c09c1f0d1c9138556b77e17cae683202705a9bc8441724e4bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_CP_1.exe

Filesize
3.2MB

MD5
37bf61c79b3bab0aadc74238777dda1d

SHA1
cfdc947f98fbfb8915692fab0f3b08488b762e50

SHA256
e215cca07bd868b59eafe1a397b20ec65723e6ea979de6a8849c2d7fd0972a1b

SHA512
3e5d3e68c541f17f61892d4c242eece19eab9e584a2f46eab532907a27ab9f1dba0eccedfd3b36110061c9a852791a6e582115dc12d0a8bb0aebb9dcfc306a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\85b75c4b-d98d-4de1-ae1d-78fa6833206d\Immersive_Updater_Log.txt

Filesize
330B

MD5
af98a85a22cee9343f2d859b06e8c648

SHA1
6d6cf3cfe83393624ed72db2fe1894df31379029

SHA256
8f2c969d5fea922534600057da729c2d8534c52d72635b5e916cba684b1c09de

SHA512
407e09b897178e6970240d687cb53e8ccbd527e5101f0d08371a17ca00f37f3a42d1bae63ccc93453e12d7b536198917a1cdc7244d9c533f7a6b74201fa36286

Download Submit
memory/1428-67-0x0000000008650000-0x00000000086B6000-memory.dmp

Filesize
408KB

Download
memory/1428-32-0x0000000007AC0000-0x0000000007B6A000-memory.dmp

Filesize
680KB

Download
memory/1428-77-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1428-50-0x00000000083F0000-0x000000000840E000-memory.dmp

Filesize
120KB

Download
memory/1428-51-0x0000000008430000-0x0000000008442000-memory.dmp

Filesize
72KB

Download
memory/1428-52-0x00000000083F0000-0x00000000083F8000-memory.dmp

Filesize
32KB

Download
memory/1428-53-0x0000000008410000-0x000000000841A000-memory.dmp

Filesize
40KB

Download
memory/1428-54-0x0000000008450000-0x000000000846D000-memory.dmp

Filesize
116KB

Download
memory/1428-4-0x0000000006830000-0x0000000006886000-memory.dmp

Filesize
344KB

Download
memory/1428-3-0x00000000069A0000-0x0000000006B62000-memory.dmp

Filesize
1.8MB

Download
memory/1428-59-0x0000000008470000-0x000000000848D000-memory.dmp

Filesize
116KB

Download
memory/1428-66-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/1428-29-0x0000000007790000-0x000000000784E000-memory.dmp

Filesize
760KB

Download
memory/1428-30-0x0000000007610000-0x0000000007622000-memory.dmp

Filesize
72KB

Download
memory/1428-31-0x0000000007620000-0x0000000007628000-memory.dmp

Filesize
32KB

Download
memory/1428-5-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1428-34-0x0000000007B90000-0x0000000007ECF000-memory.dmp

Filesize
3.2MB

Download
memory/1428-33-0x0000000007B80000-0x0000000007B90000-memory.dmp

Filesize
64KB

Download
memory/1428-2-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1428-39-0x0000000007F80000-0x00000000082BF000-memory.dmp

Filesize
3.2MB

Download
memory/1428-1-0x00000000005F0000-0x0000000001C06000-memory.dmp

Filesize
22.1MB

Download
memory/1428-68-0x0000000008740000-0x00000000087B6000-memory.dmp

Filesize
472KB

Download
memory/1428-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/2196-17-0x00007FF9EAA50000-0x00007FF9EB511000-memory.dmp

Filesize
10.8MB

Download
memory/2196-14-0x0000015D55430000-0x0000015D5569E000-memory.dmp

Filesize
2.4MB

Download
memory/2196-13-0x0000015D3B390000-0x0000015D3B440000-memory.dmp

Filesize
704KB

Download
memory/2196-12-0x00007FF9EAA50000-0x00007FF9EB511000-memory.dmp

Filesize
10.8MB

Download
memory/2196-11-0x0000015D392D0000-0x0000015D39608000-memory.dmp

Filesize
3.2MB

Download
memory/2196-10-0x00007FF9EAA53000-0x00007FF9EAA55000-memory.dmp

Filesize
8KB

Download
memory/2936-25-0x00000250CE920000-0x00000250CE92A000-memory.dmp

Filesize
40KB

Download
memory/2936-24-0x00000250CE950000-0x00000250CE962000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads