8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a

General

Target

8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Size

279KB
MD5

d0cce7870080bd889dba1f4cfd2b3b26
SHA1

a973389aa0908d7b56115aff9cd4878fbd9381f9
SHA256

8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a
SHA512

5fde0ed0ad44569d290972f336d0ca29c38f49bacefe7ba974cbb17d6db7a1a57a8e4f8618f438820c2ff386a6b9c5b8b702c24ee8718cae51379d1566729548
SSDEEP

6144:imUMliX/k5k646sOcT86ISrQdoBX67Hgo2TWD:AMl6Y/fyQdWeHgo2a

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{8516735F331B253817676}\\{8516735F331B253817676}.exe"	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 2396	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe
2396	svchost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeSecurityPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeTakeOwnershipPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeLoadDriverPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeSystemProfilePrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeSystemtimePrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeProfSingleProcessPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeIncBasePriorityPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeCreatePagefilePrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeBackupPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeRestorePrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeShutdownPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeDebugPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeSystemEnvironmentPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeRemoteShutdownPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeUndockPrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: SeManageVolumePrivilege	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: 33	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: 34	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
Token: 35	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2396	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe	30
PID 1480 wrote to memory of 2396	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe	30
PID 1480 wrote to memory of 2396	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe	30
PID 1480 wrote to memory of 2396	1480	8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe	30
PID 2396 wrote to memory of 2856	2396	svchost.exe	31
PID 2396 wrote to memory of 2856	2396	svchost.exe	31
PID 2396 wrote to memory of 2856	2396	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe
"C:\Users\Admin\AppData\Local\Temp\8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2396 -s 220
    3⤵
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
c55e7b590134bae106d2d8170affe162

SHA1
13b61495d4b1460ecb770e42a923c880a73ad692

SHA256
5d4c55ac6c8371c79f94a81c1e53fa50b0fa4231cda0fc9d93892739c723c7e7

SHA512
99162c8512811021c31c98cffe306b3badd07e779ac73d6da16e16d7597c1c8112b1a78dc33a27f717b13333bedf6a804a757e5030f653aeea41a338492c9e27

Download Submit
\Users\Admin\AppData\Roaming\{8516735F331B253817676}\{8516735F331B253817676}.exe

Filesize
279KB

MD5
d0cce7870080bd889dba1f4cfd2b3b26

SHA1
a973389aa0908d7b56115aff9cd4878fbd9381f9

SHA256
8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a

SHA512
5fde0ed0ad44569d290972f336d0ca29c38f49bacefe7ba974cbb17d6db7a1a57a8e4f8618f438820c2ff386a6b9c5b8b702c24ee8718cae51379d1566729548

Download Submit
memory/2396-7-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2396-58-0x0000000140000000-0x000000014004C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads