94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad

General

Target

94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe
Size

14.9MB
MD5

75c5eab1eee7cce3d125165095a4869a
SHA1

cc8763dd506c9b268cad038ce65b31b1f0ca4fc8
SHA256

94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad
SHA512

38c57ad884c829c66d9b831671bdadc22006a7f67b988457cde34da00a91c484f668644ad1baa3ff0f54163aa3eb067883fcea726a19b4a830f11e37217f26f8
SSDEEP

393216:brgwWSOvB/aVGfXO3UwyNq7sR9v11uvu/5Ki:fgDzQV+e+q09NMvS5

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MAcccc\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\MAc.sys"	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2540	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe
2540	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2540	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2540	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe
2540	94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe

C:\Users\Admin\AppData\Local\Temp\94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe
"C:\Users\Admin\AppData\Local\Temp\94a1cc533001cbca25104768e76c14ffb9946926895a3e49d6dc7de1f0ecd2ad.exe"
1⤵
- Sets service image path in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-0-0x00000000013B6000-0x00000000019A8000-memory.dmp

Filesize
5.9MB

Download
memory/2540-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2540-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2540-40-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2540-38-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2540-41-0x0000000000400000-0x0000000002888000-memory.dmp

Filesize
36.5MB

Download
memory/2540-35-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2540-33-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2540-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2540-28-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2540-25-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-23-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2540-20-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2540-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2540-16-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2540-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2540-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2540-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2540-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2540-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2540-46-0x0000000000400000-0x0000000002888000-memory.dmp

Filesize
36.5MB

Download
memory/2540-47-0x0000000000400000-0x0000000002888000-memory.dmp

Filesize
36.5MB

Download
memory/2540-48-0x00000000013B6000-0x00000000019A8000-memory.dmp

Filesize
5.9MB

Download
memory/2540-49-0x0000000000400000-0x0000000002888000-memory.dmp

Filesize
36.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads