13275c057816e8a845780f7efc56f71d9eb0d82872fe4f2999a875eed4a24dc1

General

Target

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
Size

1.8MB
MD5

9d6952511e6a30db9be4d220f5394ee6
SHA1

1d3ae6db2237ff37a800f8ddc0330c6ec9d452e7
SHA256

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360
SHA512

99fee4d6fc9a3ae839ce24a2761e30f4836cca1fab8b9ddb6b7caaeabd247ba97b96760a312089e1046b5ed8c9712acc148b67fe5799bcdecc7399fe40db83da
SSDEEP

49152:FHMSCqHxPO8Xm7DujgFatRnwMgnCBT9H4yXD3x1gYoddux:FHMSC0xPO8Xm7DujonMgkB4yXt1gZSx

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

hdata.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\System32\\cmd.exe"	hdata.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	hdata.exe

Executes dropped EXE 2 IoCs

Processes:

hdata.exewindiag.exe

pid	Process
1664	hdata.exe
2620	windiag.exe

Loads dropped DLL 3 IoCs

Processes:

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

pid	Process
2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hdata.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemFix = "C:\\windows\\windiag.exe"	hdata.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	checkip.dyndns.com

Drops file in Program Files directory 4 IoCs

Processes:

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

description	ioc	Process
File created	C:\Program Files (x86)\Cronsee\Cronsee.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Program Files (x86)\Cronsee\CircularProgressBar.dll	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Program Files (x86)\Cronsee\VTRegScan.dll	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Program Files (x86)\Cronsee\uninst.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

Drops file in Windows directory 9 IoCs

Processes:

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

description	ioc	Process
File created	C:\Windows\scann.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\windiag.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\Update.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\watcher.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\keywords.txt	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\winalert.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\ActivationError.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\hdata.exe	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
File created	C:\Windows\sc.bat	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2416	schtasks.exe
1128	schtasks.exe
1984	schtasks.exe
864	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hdata.exe

description	pid	Process
Token: SeDebugPrivilege	1664	hdata.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exehdata.execmd.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 1664	2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe	31
PID 2556 wrote to memory of 1664	2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe	31
PID 2556 wrote to memory of 1664	2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe	31
PID 2556 wrote to memory of 1664	2556	0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe	31
PID 1664 wrote to memory of 1108	1664	hdata.exe	32
PID 1664 wrote to memory of 1108	1664	hdata.exe	32
PID 1664 wrote to memory of 1108	1664	hdata.exe	32
PID 1108 wrote to memory of 1128	1108	cmd.exe	35
PID 1108 wrote to memory of 1128	1108	cmd.exe	35
PID 1108 wrote to memory of 1128	1108	cmd.exe	35
PID 1108 wrote to memory of 1984	1108	cmd.exe	36
PID 1108 wrote to memory of 1984	1108	cmd.exe	36
PID 1108 wrote to memory of 1984	1108	cmd.exe	36
PID 1108 wrote to memory of 864	1108	cmd.exe	37
PID 1108 wrote to memory of 864	1108	cmd.exe	37
PID 1108 wrote to memory of 864	1108	cmd.exe	37
PID 1108 wrote to memory of 2416	1108	cmd.exe	38
PID 1108 wrote to memory of 2416	1108	cmd.exe	38
PID 1108 wrote to memory of 2416	1108	cmd.exe	38
PID 1664 wrote to memory of 2620	1664	hdata.exe	40
PID 1664 wrote to memory of 2620	1664	hdata.exe	40
PID 1664 wrote to memory of 2620	1664	hdata.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe
"C:\Users\Admin\AppData\Local\Temp\0da334a11c157f76512e0a02a38744f1d545f52e0605977fe26dad470328c360.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\hdata.exe
  C:\Windows\hdata.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Windows\sc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Create /SC MONTHLY /MO 12 /TN defenderupdate /TR C:\Windows\watcher.exe /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1128
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Adobe Updater" /tr C:\Windows\Update.exe /sc onstart /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1984
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Create /SC MONTHLY /MO 12 /TN winalert /TR C:\Windows\winalert.exe /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:864
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Create /SC MINUTE /MO 30 /TN ActivationError /TR C:\Windows\ActivationError.exe /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2416
- - C:\Windows\windiag.exe
    "C:\Windows\windiag.exe"
    3⤵
    - Executes dropped EXE
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8A56.tmp\ioSpecial.ini

Filesize
663B

MD5
85db2eae69cbc41cb29a4975970e7495

SHA1
00866a9ade1ecdcb2bd08315d780271e23cf7d58

SHA256
52d36bded86a0074de38a2f62784a71f159dbbbd98842d3dbba97fe21e29988e

SHA512
1479167d8aa29759b0d38909ae38fb1c1ee4bd5292939580b7637e3982f016c4b7b8358bb6569ddb0c20290b6fc3ffc8910760413135b9545f4b8d9517a16a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8A56.tmp\ioSpecial.ini

Filesize
746B

MD5
6768ea9521f13d3c1a3513c9a213aff3

SHA1
b673a42ab968ce7f5365433ded962c02e533f326

SHA256
fdfe442b10ec57417c60ea744b83e607d62fdae919a95ce1d9ed4db8e3041b85

SHA512
236b831ee87b0fc33d2daad94d547475d16ea6ccef7310c817409be832d62395c17c2c008616fd2d139283b5547457c29c8675b47dc707b25a4cd1f0c07ef037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8A56.tmp\ioSpecial.ini

Filesize
707B

MD5
c9e17bee250d9fee971a38937172396d

SHA1
0924a006889d6edf7359946aeaa2f2c6be25f998

SHA256
35c9c3ca9271d92fb07c0ba030d20bd31d542cb8cb554ac878ba47ad03d3f146

SHA512
5292a01e078ab283ca03d16505791f66e34fd9e7020e1557fa9e60460d6f41fcd3cba56498bde25456ac0b314675d80656a9176f56b7ac49fba15d0a8475bc7b

Download Submit
C:\Windows\hdata.exe

Filesize
20KB

MD5
0bf81c3824014c2c804e1e8929578b10

SHA1
798f2005db1fa985dc1ae6bd108dd3df3e3cf300

SHA256
1fceb743d924484757517b66634304fe18e95504521d06937cdbe03a8b69fe4c

SHA512
450ea2cd93f815fe1d0f6a0e2e0972156789961356ae58f1a1ee2b31921ba024b79e3a61b4453238ee33439408d960b43b016adaf73e41b43a2f096efcf6ff43

Download Submit
C:\Windows\sc.bat

Filesize
404B

MD5
8b99aa5c390ffdfe831a3d54643a998e

SHA1
6b297ce3cb8a5ddde2ceff1bdc395f918431db93

SHA256
82ccb933219a67c8e51549b7c7ceb5dfb1addb792385f3ef4cb6222425cff567

SHA512
aeed3ffa2fa528256fd0285567691eb37aa1d7ae302e1ec6cdae17cc608a0813e470853dcd8aef6749ee79e4b6bc4c663c87c5f20b8e12530b303ded1659202b

Download Submit
C:\Windows\windiag.exe

Filesize
13KB

MD5
412eeed6e110429a221ea740ae6afdc4

SHA1
a7907527479810e29f4003ab84d3af0a26d6b22a

SHA256
94e05f2ccf47c41a8327beea0ec89d4ef84fc83a4506842c1c663324e9985e1e

SHA512
74354177786ac672ebb7ac83919cb29e5b15d48466979f9a8808d80b264c0c606c77f8f9057700750e86f367e66c0108b1e0924ee8f6b845c41e6e5b1708d8e8

Download Submit
\Program Files (x86)\Cronsee\Cronsee.exe

Filesize
1.3MB

MD5
393a0bdb6aa3efce4bca4d01843e6dd3

SHA1
bc1c14626f107b004071fff4b8836987f61ae9a1

SHA256
4f26dc9b5928208245e2750210cf2933b51cc0ba3f17f55513288eacf0bd8588

SHA512
f18d7b3736ad4709532a9b50f46f8e5b4fdae85434ca051cf39d77969e70195fce9831a8c868707d503b4260ab878a45c37757761ce242f2ba69b8988808a6b5

Download Submit
\Users\Admin\AppData\Local\Temp\nst8A56.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
memory/1664-204-0x000007FEF54E3000-0x000007FEF54E4000-memory.dmp

Filesize
4KB

Download
memory/1664-205-0x00000000010B0000-0x00000000010BC000-memory.dmp

Filesize
48KB

Download
memory/1664-206-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/1664-208-0x0000000000ED0000-0x0000000000EF5000-memory.dmp

Filesize
148KB

Download
memory/1664-209-0x000007FEF54E3000-0x000007FEF54E4000-memory.dmp

Filesize
4KB

Download
memory/1664-213-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-212-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/2620-214-0x0000000000C10000-0x0000000000C35000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads