e509dac46439a5a8d855817219e569054ccbe01e964179650c4b0b6e3b7bb4be

General

Target

PersistencyMonitor.exe
Size

128KB
MD5

54d3979b6bab76559006aa8009e09929
SHA1

af70333cd80add67c6ceae6ee9035357b63e9988
SHA256

a73c8dac720f0b7744bfce66293569c37036696a84bf7428c03592695baf04ad
SHA512

0e48b24c6d0f39deb6295b431b20f5d8851396e6dcc35c020dbef4f12af25096e03184d9a17090bc1fbd0ab62ef0deadaed14bd6a114232f60ec995b1518ccc9
SSDEEP

3072:Lv/QJLQ0Vk1a0Eg5gomJu1ZAlXktl0bzEeUR:LQeEg5goMu1Zk00bzEeUR

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2F8g3Eh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PersistencyMonitor.exe"	PersistencyMonitor.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PersistencyMonitor.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\tJXWDDWnVlF8i4Ps = "1728807312"	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\tJXWDDWnVlF8i4Ps = "1728807353"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\jV8NgCnfQhLSk9Jms8s3 = "60"	PersistencyMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\gO3nENfZ8gPUiBP4	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\hJOWDEhhUmELf3QX = "1"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\hJOWDIcjUbNPe4Dy = "0"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\hJOWDVimIdCTpADs = "0"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\mELnAPgaIkPUiROt = "1"	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\tJXWDDWnVlF8i4Ps = "1728807327"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\jV8NgCnfQhLSk9Jms8s3 = "299"	PersistencyMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}	PersistencyMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\pR2n5UthObTVtAPJ	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\mELnAPgaIkPUiROt = "12"	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\tJXWDDWnVlF8i4Ps = "1728807713"	PersistencyMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{BF454B6F-0D51-F145-0E46-912431060A0}\sOThWFakWcCIhEMW	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\mELnAPgaIkPUiROt = "2"	PersistencyMonitor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\mELnAPgaIkPUiROt = "4"	PersistencyMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1910B696-6AC4-0C8B-619F-5B416ED99C7}\{35FD711B-5925-3F30-7992-498FB2A14F4}\tJXWDDWnVlF8i4Ps = "1728807414"	PersistencyMonitor.exe

C:\Users\Admin\AppData\Local\Temp\PersistencyMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\PersistencyMonitor.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140