a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

General

Target

a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
Size

280KB
MD5

36c20efb5656068007a50db4e8f7da6e
SHA1

5a8a77fcf96163b6f41e29a25625042dee2b38cf
SHA256

a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5
SHA512

b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba
SSDEEP

6144:/n95LIA8AJzCtA0vc+JkdjMyEaORIWDhjv6:/jLIA92E+yBM2ORNDhjv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2016	sesnaesttoo.exe
756	sesnaesttoo.exe

Loads dropped DLL 3 IoCs

pid	Process
1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
2016	sesnaesttoo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesnaesttoo.exe"	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v7.7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesnaesttoo.exe"	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2016 set thread context of 756	2016	sesnaesttoo.exe	29

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
2016	sesnaesttoo.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 2012 wrote to memory of 1068	2012	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	27
PID 1068 wrote to memory of 2016	1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	28
PID 1068 wrote to memory of 2016	1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	28
PID 1068 wrote to memory of 2016	1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	28
PID 1068 wrote to memory of 2016	1068	a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe	28
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29
PID 2016 wrote to memory of 756	2016	sesnaesttoo.exe	29

C:\Users\Admin\AppData\Local\Temp\a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
"C:\Users\Admin\AppData\Local\Temp\a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe
  "C:\Users\Admin\AppData\Local\Temp\a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe
    "C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe
      "C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe"
      4⤵
      Executes dropped EXE
      PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
\Users\Admin\AppData\Local\Temp\sesnaesttoo.exe

Filesize
280KB

MD5
36c20efb5656068007a50db4e8f7da6e

SHA1
5a8a77fcf96163b6f41e29a25625042dee2b38cf

SHA256
a43ad0b8c507d8e4a8b2466b17c9b94a5a28bde5a784f94859492d2e3286d6d5

SHA512
b4838ca66998b186010a0c6742ccceac9a636ff4d056bd22a0cad3cc2ede64b56ef42af1d768ce57e3c21f80b896578f4ff9daefb4988f4502d171b1b0c2bdba

Download Submit
memory/756-82-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/756-80-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1068-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1068-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1068-61-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1068-78-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1068-79-0x0000000000220000-0x000000000026D000-memory.dmp

Filesize
308KB

Download
memory/1068-59-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1068-81-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2012-60-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2016-74-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing