25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc

General

Target

25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
Size

222KB
MD5

0c9f30cd9a8c16aac47e1e29b652f501
SHA1

485d7cbe098bc6b3fa7c92779e061be9b969bc13
SHA256

25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc
SHA512

911401b84877063483ae230aae5b60d1466d7888d22c7e9774f87fe178aa4d3a8074c69b140332b127dbef97a23c651ae322fe496d9fd889766d9165396ab67d

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe

description	pid	process	target process
PID 1280 set thread context of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe

C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
"C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
"C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe"
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
"C:\Users\Admin\AppData\Local\Temp\25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe"
2⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-64-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-65-0x00000000002632FE-mapping.dmp

Download
memory/996-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-70-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1280-67-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download
memory/1280-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1280 wrote to memory of 1640	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 1640	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 1640	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 1640	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe
PID 1280 wrote to memory of 996	1280	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe	25c6adccf79837e3e641d5c5b09759db41ae89f45eb336dece91642416f8c4bc.exe

Analysis

Sharing