641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

General

Target

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Size

573KB
MD5

7b80992176d91fe6ccb5301fb16e3e40
SHA1

77bee4b3b07c367f45ea8ecd87eb65b317900fd9
SHA256

641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4
SHA512

154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

mgiy.exeAddInProcess32.exe

pid process

332 mgiy.exe
1068 AddInProcess32.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exemgiy.exe

pid process

532 SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
332 mgiy.exe

pid	process
332	mgiy.exe
1068	AddInProcess32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\bqpd = "C:\\Users\\Admin\\mgiy.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mgiy.exe

description pid process target process

PID 332 set thread context of 1068 332 mgiy.exe AddInProcess32.exe

description	pid	process	target process
PID 332 set thread context of 1068	332	mgiy.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exemgiy.exe

pid	process
532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
332	mgiy.exe
332	mgiy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exemgiy.exe

description pid process

Token: SeDebugPrivilege 532 SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Token: SeDebugPrivilege 332 mgiy.exe

description	pid	process
Token: SeDebugPrivilege	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
Token: SeDebugPrivilege	332	mgiy.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.execmd.exemgiy.exe

description	pid	process	target process
PID 532 wrote to memory of 2036	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 532 wrote to memory of 2036	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 532 wrote to memory of 2036	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 532 wrote to memory of 2036	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	cmd.exe
PID 2036 wrote to memory of 1888	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 1888	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 1888	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 1888	2036	cmd.exe	reg.exe
PID 532 wrote to memory of 332	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 532 wrote to memory of 332	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 532 wrote to memory of 332	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 532 wrote to memory of 332	532	SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe	mgiy.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe
PID 332 wrote to memory of 1068	332	mgiy.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.45131634.12155.15985.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bqpd" /t REG_SZ /d "C:\Users\Admin\mgiy.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bqpd" /t REG_SZ /d "C:\Users\Admin\mgiy.exe"
3⤵
- Adds Run key to start application
PID:1888

C:\Users\Admin\mgiy.exe
"C:\Users\Admin\mgiy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\mgiy.exe

MD5
7b80992176d91fe6ccb5301fb16e3e40

SHA1
77bee4b3b07c367f45ea8ecd87eb65b317900fd9

SHA256
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

SHA512
154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Download Submit
C:\Users\Admin\mgiy.exe

MD5
7b80992176d91fe6ccb5301fb16e3e40

SHA1
77bee4b3b07c367f45ea8ecd87eb65b317900fd9

SHA256
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

SHA512
154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\mgiy.exe

MD5
7b80992176d91fe6ccb5301fb16e3e40

SHA1
77bee4b3b07c367f45ea8ecd87eb65b317900fd9

SHA256
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4

SHA512
154b6a62df5c058c49ad58ddf0fefedb7675c9e8c06f5a637fd50d9869409772c954271de6f4791b774eb921030afc4d40e50f1523194c86b1c6e795aca258fd

Download Submit
memory/332-18-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/332-10-0x0000000000000000-mapping.dmp

Download
memory/332-13-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/332-14-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/332-19-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/532-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/532-6-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/532-5-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/532-3-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1068-23-0x0000000000401190-mapping.dmp

Download
memory/1888-8-0x0000000000000000-mapping.dmp

Download
memory/2036-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads