5c2766a9b8df935b6144459c3ae5c8f6b7cab54ab844cc78ae770ed1481c4220

General

Target

760138.exe
Size

60KB
MD5

599efde12b6948266df775575d37c433
SHA1

6c4953baee81b92254a73d40182678cfbe59c63b
SHA256

5c2766a9b8df935b6144459c3ae5c8f6b7cab54ab844cc78ae770ed1481c4220
SHA512

fb340259594c64c5b1b7ec60190a587dad6b5d7cbd3b991c737578836e4c4b26e475e01f0c2d90227d3563a0091d66d2518fb98d3f0228130c64bd10cd7a01e6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

760138.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Albatrosernes = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEOBALAENA\\Ritzes.vbs"	760138.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	760138.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

760138.exe760138.exe

pid process

792 760138.exe
1328 760138.exe
1328 760138.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

760138.exe

description pid process target process

PID 792 set thread context of 1328 792 760138.exe 760138.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

760138.exe

pid process

792 760138.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

760138.exe

pid process

792 760138.exe

pid	process
792	760138.exe
1328	760138.exe
1328	760138.exe

description	pid	process	target process
PID 792 set thread context of 1328	792	760138.exe	760138.exe

pid	process
792	760138.exe

pid	process
792	760138.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

760138.exe

description	pid	process	target process
PID 792 wrote to memory of 1328	792	760138.exe	760138.exe
PID 792 wrote to memory of 1328	792	760138.exe	760138.exe
PID 792 wrote to memory of 1328	792	760138.exe	760138.exe
PID 792 wrote to memory of 1328	792	760138.exe	760138.exe
PID 792 wrote to memory of 1328	792	760138.exe	760138.exe

C:\Users\Admin\AppData\Local\Temp\760138.exe
"C:\Users\Admin\AppData\Local\Temp\760138.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\760138.exe
"C:\Users\Admin\AppData\Local\Temp\760138.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-4-0x00000000002B0000-0x00000000002B9000-memory.dmp

Filesize
36KB

Download
memory/792-5-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1328-6-0x00000000004013E4-mapping.dmp

Download
memory/1328-7-0x00000000001B0000-0x00000000002B0000-memory.dmp

Filesize
1024KB

Download
memory/1328-10-0x0000000000689000-0x000000000068A000-memory.dmp

Filesize
4KB

Download
memory/1328-11-0x000000000068A000-0x000000000068B000-memory.dmp

Filesize
4KB

Download
memory/1328-12-0x00000000006B7000-0x00000000006B8000-memory.dmp

Filesize
4KB

Download
memory/1328-14-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1328-13-0x000000000068F000-0x0000000000690000-memory.dmp

Filesize
4KB

Download
memory/1328-15-0x00000000006A5000-0x00000000006A6000-memory.dmp

Filesize
4KB

Download
memory/1328-17-0x0000000000694000-0x0000000000695000-memory.dmp

Filesize
4KB

Download
memory/1328-18-0x00000000006A4000-0x00000000006A5000-memory.dmp

Filesize
4KB

Download
memory/1328-16-0x00000000006B1000-0x00000000006B2000-memory.dmp

Filesize
4KB

Download
memory/1328-20-0x00000000006A3000-0x00000000006A4000-memory.dmp

Filesize
4KB

Download
memory/1328-21-0x00000000006AB000-0x00000000006AC000-memory.dmp

Filesize
4KB

Download
memory/1328-22-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/1328-23-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1328-24-0x00000000006AA000-0x00000000006AB000-memory.dmp

Filesize
4KB

Download
memory/1328-19-0x0000000000693000-0x0000000000694000-memory.dmp

Filesize
4KB

Download
memory/1328-26-0x00000000006A9000-0x00000000006AA000-memory.dmp

Filesize
4KB

Download
memory/1328-25-0x00000000006AF000-0x00000000006B0000-memory.dmp

Filesize
4KB

Download
memory/1328-28-0x00000000006B2000-0x00000000006B3000-memory.dmp

Filesize
4KB

Download
memory/1328-29-0x00000000006AC000-0x00000000006AD000-memory.dmp

Filesize
4KB

Download
memory/1328-30-0x0000000000507000-0x0000000000508000-memory.dmp

Filesize
4KB

Download
memory/1328-31-0x0000000000584000-0x0000000000585000-memory.dmp

Filesize
4KB

Download
memory/1328-32-0x0000000000699000-0x000000000069A000-memory.dmp

Filesize
4KB

Download
memory/1328-33-0x000000000068B000-0x000000000068C000-memory.dmp

Filesize
4KB

Download
memory/1328-34-0x00000000006A6000-0x00000000006A7000-memory.dmp

Filesize
4KB

Download
memory/1328-27-0x000000000069F000-0x00000000006A0000-memory.dmp

Filesize
4KB

Download
memory/1328-35-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/1328-36-0x00000000006A2000-0x00000000006A3000-memory.dmp

Filesize
4KB

Download
memory/1328-37-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1328-38-0x00000000006A7000-0x00000000006A8000-memory.dmp

Filesize
4KB

Download
memory/1328-39-0x00000000006B4000-0x00000000006B5000-memory.dmp

Filesize
4KB

Download
memory/1328-40-0x000000000069B000-0x000000000069C000-memory.dmp

Filesize
4KB

Download
memory/1328-41-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/1328-42-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1328-43-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1328-44-0x00000000005CC000-0x00000000005CD000-memory.dmp

Filesize
4KB

Download
memory/1328-46-0x0000000000583000-0x0000000000584000-memory.dmp

Filesize
4KB

Download
memory/1328-45-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1328-47-0x00000000004AF000-0x00000000004B0000-memory.dmp

Filesize
4KB

Download
memory/1328-49-0x00000000004A6000-0x00000000004A7000-memory.dmp

Filesize
4KB

Download
memory/1328-51-0x00000000004AC000-0x00000000004AD000-memory.dmp

Filesize
4KB

Download
memory/1328-52-0x00000000006B9000-0x00000000006BA000-memory.dmp

Filesize
4KB

Download
memory/1328-54-0x0000000000422000-0x0000000000423000-memory.dmp

Filesize
4KB

Download
memory/1328-56-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/1328-58-0x00000000006AE000-0x00000000006AF000-memory.dmp

Filesize
4KB

Download
memory/1328-59-0x000000000069C000-0x000000000069D000-memory.dmp

Filesize
4KB

Download
memory/1328-61-0x0000000000679000-0x000000000067A000-memory.dmp

Filesize
4KB

Download
memory/1328-62-0x0000000000596000-0x0000000000597000-memory.dmp

Filesize
4KB

Download
memory/1328-64-0x0000000000582000-0x0000000000583000-memory.dmp

Filesize
4KB

Download
memory/1328-66-0x0000000000581000-0x0000000000582000-memory.dmp

Filesize
4KB

Download
memory/1328-68-0x000000000068E000-0x000000000068F000-memory.dmp

Filesize
4KB

Download
memory/1328-69-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/1328-72-0x00000000005CB000-0x00000000005CC000-memory.dmp

Filesize
4KB

Download
memory/1328-73-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/1328-75-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1328-77-0x00000000004F9000-0x00000000004FA000-memory.dmp

Filesize
4KB

Download
memory/1328-79-0x0000000000523000-0x0000000000524000-memory.dmp

Filesize
4KB

Download
memory/1740-9-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing