488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080

General

Target

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe
Size

1.9MB
MD5

5bca1374bb59683f15dafbab2d6c881f
SHA1

6fba6489319bd702f3a75a66657f1520cb91b4ba
SHA256

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080
SHA512

86379299bc454bc2e547340efe539d14b6c73d0110fe9c795e20792299acf577f4268054e8f7928467685c8eab27ff67d85086f76ed61320d75a40742d118cee
SSDEEP

49152:QxYwjnM5v+OZZ0MpB1TXGTy7NxxMjmRqIAe2:aRMYOx0yBvMIqI32

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

dfdfterw.exesihost32.exe

pid	Process
2500	dfdfterw.exe
1428	sihost32.exe

Drops file in System32 directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\dfdfterw.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File created	C:\Windows\system32\dfdfterw.exe	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

conhost.execonhost.exe

pid	Process
4972	conhost.exe
4244	conhost.exe
4244	conhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

conhost.execonhost.exe

description	pid	Process
Token: SeDebugPrivilege	4972	conhost.exe
Token: SeDebugPrivilege	4244	conhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.execonhost.execmd.execmd.exedfdfterw.execonhost.exesihost32.exe

description	pid	Process	procid_target
PID 1528 wrote to memory of 4972	1528	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	89
PID 1528 wrote to memory of 4972	1528	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	89
PID 1528 wrote to memory of 4972	1528	488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe	89
PID 4972 wrote to memory of 3264	4972	conhost.exe	90
PID 4972 wrote to memory of 3264	4972	conhost.exe	90
PID 3264 wrote to memory of 624	3264	cmd.exe	92
PID 3264 wrote to memory of 624	3264	cmd.exe	92
PID 4972 wrote to memory of 1388	4972	conhost.exe	93
PID 4972 wrote to memory of 1388	4972	conhost.exe	93
PID 1388 wrote to memory of 2500	1388	cmd.exe	95
PID 1388 wrote to memory of 2500	1388	cmd.exe	95
PID 2500 wrote to memory of 4244	2500	dfdfterw.exe	98
PID 2500 wrote to memory of 4244	2500	dfdfterw.exe	98
PID 2500 wrote to memory of 4244	2500	dfdfterw.exe	98
PID 4244 wrote to memory of 1428	4244	conhost.exe	99
PID 4244 wrote to memory of 1428	4244	conhost.exe	99
PID 1428 wrote to memory of 4556	1428	sihost32.exe	100
PID 1428 wrote to memory of 4556	1428	sihost32.exe	100
PID 1428 wrote to memory of 4556	1428	sihost32.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe
"C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "dfdfterw" /tr "C:\Windows\system32\dfdfterw.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "dfdfterw" /tr "C:\Windows\system32\dfdfterw.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:624
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\dfdfterw.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\system32\dfdfterw.exe
      C:\Windows\system32\dfdfterw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\dfdfterw.exe"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        7⤵
        
        PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
31KB

MD5
d714870cb4a643fa0aacf4a96f0e2a57

SHA1
b9e25cd58d2c77ba1f6fb070a5dedb64083056f2

SHA256
5c2b4f9deb3876840cb302d4d85f3ec113ca40b7c5ef2c2f0d624232ac1b99eb

SHA512
16778204628a0e915f893500867b7b5739f0f1fcf693b5e6912522ea81d9e6cab70a00b7d8a1209bfc73d089b2ddf995519560570dfc028975b8fea3c737dc8f

Download Submit
C:\Windows\system32\dfdfterw.exe

Filesize
1.9MB

MD5
5bca1374bb59683f15dafbab2d6c881f

SHA1
6fba6489319bd702f3a75a66657f1520cb91b4ba

SHA256
488c7484f90b2e568f0cc093809661da214640a6e80d22524ce263cbae6a3080

SHA512
86379299bc454bc2e547340efe539d14b6c73d0110fe9c795e20792299acf577f4268054e8f7928467685c8eab27ff67d85086f76ed61320d75a40742d118cee

Download Submit
memory/4556-27-0x0000025E19650000-0x0000025E19656000-memory.dmp

Filesize
24KB

Download
memory/4556-26-0x0000025E17B30000-0x0000025E17B36000-memory.dmp

Filesize
24KB

Download
memory/4972-3-0x000002025D7A0000-0x000002025D7B2000-memory.dmp

Filesize
72KB

Download
memory/4972-6-0x00007FF985793000-0x00007FF985795000-memory.dmp

Filesize
8KB

Download
memory/4972-7-0x00007FF985790000-0x00007FF986251000-memory.dmp

Filesize
10.8MB

Download
memory/4972-11-0x00007FF985790000-0x00007FF986251000-memory.dmp

Filesize
10.8MB

Download
memory/4972-5-0x00007FF985790000-0x00007FF986251000-memory.dmp

Filesize
10.8MB

Download
memory/4972-4-0x00007FF985790000-0x00007FF986251000-memory.dmp

Filesize
10.8MB

Download
memory/4972-0-0x000002025B890000-0x000002025BA81000-memory.dmp

Filesize
1.9MB

Download
memory/4972-2-0x00000202764B0000-0x00000202766A2000-memory.dmp

Filesize
1.9MB

Download
memory/4972-1-0x00007FF985793000-0x00007FF985795000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads