f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff

General

Target

f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
Size

1.3MB
MD5

b780e63a22928a85867fbb744c8d7a7a
SHA1

657a87d43d58b46ec3944f3e0543a1882f149e6b
SHA256

f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff
SHA512

5ca2eba46cc018e41fd3538d4cf5ed9123b21abba4ba760b3562e3571fc191dacb60bd59566c14451c4243a60cd5b9248a84edb193c4ea49854df91d389671ca
SSDEEP

24576:98dvIOVmW6AbPsArkueRKmV3sNlHXdmMDx:9owONbkBuyKmBs7Y2

Score

7^/10

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app_signed.exe	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe

Executes dropped EXE 2 IoCs

pid	Process
2008	app.exe
3008	app.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\app.exe"	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 3008	2008	app.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
2008	app.exe
2008	app.exe
2008	app.exe
2008	app.exe
2008	app.exe
2008	app.exe
2008	app.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
Token: SeDebugPrivilege	2008	app.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	app.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2008	2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe	30
PID 2776 wrote to memory of 2008	2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe	30
PID 2776 wrote to memory of 2008	2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe	30
PID 2776 wrote to memory of 2008	2776	f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe	30
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3008	2008	app.exe	31
PID 2008 wrote to memory of 3020	2008	app.exe	32
PID 2008 wrote to memory of 3020	2008	app.exe	32

C:\Users\Admin\AppData\Local\Temp\f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe
"C:\Users\Admin\AppData\Local\Temp\f90856a0deeedef55fccf1386af69280a5ebc72e2179d3c07befb6e978e0caff.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
    3⤵
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4868f9700e0caa7ffa9d4868f5f0217

SHA1
fcc06f48fc9d54d31fb25bf18715a90a1aa305e7

SHA256
81aedc306a4ae02c083e3bdc8492d9e31f9fecf805b7f60bb5032e7cec50a4db

SHA512
425864858cdec188f2bb2485750e21ddac535ce68bb4823e0aa35f8b01d189468858a30611c24040f6ab214df03cf54211441b5cfd04e3890edcc2bf6a92240c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe

Filesize
1.3MB

MD5
0840762720dbcbea9772ed8fc81c58fd

SHA1
731f7f6c5b4d7a8d7ab7a56f1f33593168163ed9

SHA256
709e9a703d26d637bbd04eb2521c8f0d726d86688a19e45995c6cc4db71fed40

SHA512
6753e42fd48b0af7fe7ae87b8eb68b84a459216bee04b7b83bc5da17735cdf7969dc457cf5bb07e056fa69efc548694f9d6f98a4c4fbed3f9fd042e5943864e2

Download Submit
memory/2008-45-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-47-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-69-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-46-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-41-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-42-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-14-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-2-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-32-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-0-0x0000000074E51000-0x0000000074E52000-memory.dmp

Filesize
4KB

Download
memory/2776-12-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-13-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2776-1-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/3008-62-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-49-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-66-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-68-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-56-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-55-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3008-53-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads