01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c

General

Target

Wjhus order 13.1.2021.exe
Size

374KB
MD5

20663ecc753600bebd55fbc4c3fff85e
SHA1

6f14c5bd02dca7c1a58965ccb26a10ef8aa95aea
SHA256

01c59004eb5e4390f96dc41ca001c9bd036068645fb55a922cded1ee1ecf014c
SHA512

d3e2e219fac00dcb53d3f2ef1e789110681183ce22e32191c11c404f816ee4d2b342a5090288907e21d17dc779e9a9baede05aeb20390cacbc047be486f681af

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Wjhus order 13.1.2021.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Wjhus order 13.1.2021.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtemcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\eremcos\\VLC.exe\""	Wjhus order 13.1.2021.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Wjhus order 13.1.2021.exeWjhus order 13.1.2021.exeWjhus order 13.1.2021.exeWjhus order 13.1.2021.exeWScript.exe

description	pid	process	target process
PID 2024 wrote to memory of 684	2024	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 2024 wrote to memory of 684	2024	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 2024 wrote to memory of 684	2024	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 2024 wrote to memory of 684	2024	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 684 wrote to memory of 1784	684	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 684 wrote to memory of 1784	684	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 684 wrote to memory of 1784	684	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 684 wrote to memory of 1784	684	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 1784 wrote to memory of 1840	1784	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 1784 wrote to memory of 1840	1784	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 1784 wrote to memory of 1840	1784	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 1784 wrote to memory of 1840	1784	Wjhus order 13.1.2021.exe	Wjhus order 13.1.2021.exe
PID 1840 wrote to memory of 1092	1840	Wjhus order 13.1.2021.exe	WScript.exe
PID 1840 wrote to memory of 1092	1840	Wjhus order 13.1.2021.exe	WScript.exe
PID 1840 wrote to memory of 1092	1840	Wjhus order 13.1.2021.exe	WScript.exe
PID 1840 wrote to memory of 1092	1840	Wjhus order 13.1.2021.exe	WScript.exe
PID 1092 wrote to memory of 2020	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	WScript.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Wjhus order 13.1.2021.exe"
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe"
6⤵
PID:2020

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
516c683f65edb23d0e850fa3ef3c8684

SHA1
2ac568ffec85d04a03ce8cd67d22c0f57ebcf78b

SHA256
90fcf9d38e16bf59c8ba902a0a2fb4535cb54515fdb51ecf561cec6911db553d

SHA512
fb785e0ba530ef75dab428467da6b2da078a356a953fb7b1729d2474b06a44f854cfd41fa6f3432e13f330c4a12b1665d316c63291fbd46bb165ba1e7b384c93

Download Submit
memory/684-2-0x0000000000000000-mapping.dmp

Download
memory/1092-5-0x0000000000000000-mapping.dmp

Download
memory/1092-8-0x0000000002620000-0x0000000002624000-memory.dmp

Filesize
16KB

Download
memory/1784-3-0x0000000000000000-mapping.dmp

Download
memory/1840-4-0x0000000000000000-mapping.dmp

Download
memory/2020-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing