122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1

General

Target

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Size

1.9MB
MD5

003acf196868feddf108ab0b2685db2c
SHA1

20cd7e17d7a02de5ff4ccbae1267bfb831ccdbb3
SHA256

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1
SHA512

180986d74acda3ed043e7955f3e19102f9145cacc52783ed20aa642076f19bed5e7f3cb7b2910ee954555a7474d321e79cfc7df6e6e97cf9072d524717201ba1

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

pid process

520 122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

pid process

520 122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

pid	process
520	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
520	122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe

C:\Users\Admin\AppData\Local\Temp\122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe
"C:\Users\Admin\AppData\Local\Temp\122cd303b358e49f5b945e54da84d57c9df9cd2255ac604e5e8fa69c76278de1.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads