1d63fd158bf9c1fa57c0bdb68817252b6c55e7a1f506d74680be6fc76e49f310

General

Target

IGUW6LGP.exe
Size

729KB
MD5

a978829d640914b88ee160147ba56292
SHA1

f2a019846d5c649238f4c880349186636aaead8f
SHA256

5561987526eb45b89f9ed1220d2544ce4d5bc4b46cb47839e44444a05aab70f8
SHA512

3d245e2978c7df8896a6a9ebbaeedc707a0cb708d54bb5cf1672423c300984e96dade5e962e170bd38ed8a3891a4aee7d54a4f5296daa5193e7ee9c1928af547

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BJJGUGYX = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\BJJGUGYX.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

IGUW6LGP.exe

description pid process target process

PID 1948 set thread context of 3248 1948 IGUW6LGP.exe IGUW6LGP.exe

description	pid	process	target process
PID 1948 set thread context of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

IGUW6LGP.exeIGUW6LGP.exepowershell.exe

pid	process
1948	IGUW6LGP.exe
1948	IGUW6LGP.exe
1948	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
3248	IGUW6LGP.exe
740	powershell.exe
740	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

IGUW6LGP.exeIGUW6LGP.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1948 IGUW6LGP.exe
Token: SeDebugPrivilege 3248 IGUW6LGP.exe
Token: SeDebugPrivilege 740 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	IGUW6LGP.exe
Token: SeDebugPrivilege	3248	IGUW6LGP.exe
Token: SeDebugPrivilege	740	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

IGUW6LGP.exeIGUW6LGP.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2624	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 2624	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 2624	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 1948 wrote to memory of 3248	1948	IGUW6LGP.exe	IGUW6LGP.exe
PID 3248 wrote to memory of 1104	3248	IGUW6LGP.exe	cmd.exe
PID 3248 wrote to memory of 1104	3248	IGUW6LGP.exe	cmd.exe
PID 3248 wrote to memory of 1104	3248	IGUW6LGP.exe	cmd.exe
PID 1104 wrote to memory of 2776	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 2776	1104	cmd.exe	reg.exe
PID 1104 wrote to memory of 2776	1104	cmd.exe	reg.exe
PID 3248 wrote to memory of 740	3248	IGUW6LGP.exe	powershell.exe
PID 3248 wrote to memory of 740	3248	IGUW6LGP.exe	powershell.exe
PID 3248 wrote to memory of 740	3248	IGUW6LGP.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\IGUW6LGP.exe
"C:\Users\Admin\AppData\Local\Temp\IGUW6LGP.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\IGUW6LGP.exe
"{path}"
2⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\IGUW6LGP.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v BJJGUGYX /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\BJJGUGYX.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v BJJGUGYX /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\BJJGUGYX.exe"
4⤵
- Adds Run key to start application
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Local\BJJGUGYX.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IGUW6LGP.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/740-142-0x0000000000000000-mapping.dmp

Download
memory/740-148-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/740-147-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/740-146-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/740-145-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/740-144-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/740-143-0x0000000002430000-0x0000000002466000-memory.dmp

Filesize
216KB

Download
memory/1104-140-0x0000000000000000-mapping.dmp

Download
memory/1948-133-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/1948-132-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/1948-134-0x0000000008FF0000-0x000000000908C000-memory.dmp

Filesize
624KB

Download
memory/1948-130-0x0000000000B50000-0x0000000000C0C000-memory.dmp

Filesize
752KB

Download
memory/1948-131-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/2624-135-0x0000000000000000-mapping.dmp

Download
memory/2776-141-0x0000000000000000-mapping.dmp

Download
memory/3248-137-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3248-136-0x0000000000000000-mapping.dmp

Download
memory/3248-139-0x0000000006E10000-0x0000000006E54000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads