bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8

General

Target

bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Size

318KB
MD5

dbf3b7e191cefe9697baff986c670ec4
SHA1

f25c538d696d2b15af4207728d4594bb8f0d3e2b
SHA256

bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8
SHA512

01e8d1de644705842c40e9b67bbe80fe17362b3b8c3b7b6715b9171f998b29e30f58fccf90513a1bd2dba35fbc1f61eccb67baa6fbd1c9394cefe14db9db1ea2
SSDEEP

6144:QKXckLFdaY0yFTL4nLLuB4tiUGYxKMe8uCl3s:vWryFTkuYxhxuCl3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}\	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Microsoft Windows Media Player 12.0"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wmsetup.log	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA4E3DA0-D07D-11d0-BD50-00A0C911CE86}\Instance\{083863F1-70DE-11d0-BD40-00A0C911CE86}	bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe

C:\Users\Admin\AppData\Local\Temp\bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe
"C:\Users\Admin\AppData\Local\Temp\bbe62fe37e8a3396b695f72f718f3a3920b1d0f37c5bcefe5da63d7edad3cdd8.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000000960000-0x00000000009BA000-memory.dmp

Filesize
360KB

Download
memory/2028-2-0x0000000000960000-0x00000000009BA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads