0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517

General

Target

0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Size

266KB
MD5

b611b18150ff90f659198e46c7f2b74f
SHA1

bb6bcaf535bddc8b793a8fa890bbbe7a33290faa
SHA256

0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517
SHA512

7d934c5875b9f984a1ff5576a4a3dd357a2f1ce54c282cae3a71a57415ad75ac570b0b7e02b32672c7f0bbb7b20f22438ab3765f033c0ee61cfb246bc6fe2b0e
SSDEEP

6144:ty72/oopck5kxnvEL3T0Lq5TmSqMLMHgo2TWnF+v:tyQoomYEg9qrHgo2anAv

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe

Loads dropped DLL 1 IoCs

pid	Process
2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\569D45D496681681895587\\569D45D496681681895587.exe"	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2308	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe
2308	svchost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeSecurityPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeTakeOwnershipPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeLoadDriverPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeSystemProfilePrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeSystemtimePrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeProfSingleProcessPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeIncBasePriorityPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeCreatePagefilePrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeBackupPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeRestorePrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeShutdownPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeDebugPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeSystemEnvironmentPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeRemoteShutdownPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeUndockPrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: SeManageVolumePrivilege	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: 33	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: 34	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
Token: 35	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2308	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe	31
PID 2600 wrote to memory of 2308	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe	31
PID 2600 wrote to memory of 2308	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe	31
PID 2600 wrote to memory of 2308	2600	0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe	31
PID 2308 wrote to memory of 2504	2308	svchost.exe	32
PID 2308 wrote to memory of 2504	2308	svchost.exe	32
PID 2308 wrote to memory of 2504	2308	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe
"C:\Users\Admin\AppData\Local\Temp\0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2308 -s 228
    3⤵
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\569D45D496681681895587\569D45D496681681895587.exe

Filesize
266KB

MD5
b611b18150ff90f659198e46c7f2b74f

SHA1
bb6bcaf535bddc8b793a8fa890bbbe7a33290faa

SHA256
0fbad12595c3ecd37ed2249d25161c3935485a2c761c104e58973841becd0517

SHA512
7d934c5875b9f984a1ff5576a4a3dd357a2f1ce54c282cae3a71a57415ad75ac570b0b7e02b32672c7f0bbb7b20f22438ab3765f033c0ee61cfb246bc6fe2b0e

Download Submit
memory/2308-7-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2308-11-0x0000000140000000-0x0000000140049000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads