10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e

General

Target

10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe
Size

172KB
MD5

00e7324afa916bd973ba4e2914098faf
SHA1

58cb22f90df6dcc85749bb233aec5ec1d91d2b92
SHA256

10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e
SHA512

b373a984abff2da8f7109f42fe2fb94130abf8d9748523272b9545151aa23a53ff71f1b774eb0434ac7afffc3f88844c6380389983384c4ae4dd1bd2b6c01b6c
SSDEEP

3072:w+/eO6r12VjjqUM5Vn5L8NJ5f+8ciuR4S7Tb2QSh7H:w+28VjqV5+GfPU7H

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\dskchk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26

Runs regedit.exe 1 IoCs

pid	Process
964	regedit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1388 wrote to memory of 1536	1388	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	26
PID 1536 wrote to memory of 964	1536	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	27
PID 1536 wrote to memory of 964	1536	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	27
PID 1536 wrote to memory of 964	1536	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	27
PID 1536 wrote to memory of 964	1536	10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe	27

C:\Users\Admin\AppData\Local\Temp\10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe
"C:\Users\Admin\AppData\Local\Temp\10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe
  "C:\Users\Admin\AppData\Local\Temp\10c9751d632064ff93e3cb09b007768dc6ca538224b63dc8207fde061fa86d7e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\rtf53EB.tmp
    3⤵
    - Adds Run key to start application
    - Runs regedit.exe
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rtf53EB.tmp

Filesize
199B

MD5
a3b854d04eb23cb08839d9370ec7afdd

SHA1
efc96a7ebe1ddf4bf7faf121363434147c447757

SHA256
9f057e9d682ad7d8544c6cc2028e6eade8241e9a0c7078eccaeebc99ac99f447

SHA512
e6de8457ae0417008c02190f8b1f4b70c3f1e6438b898ecfb72df806fc9281602a3f917a16385e36c109d04848585c3d8731c026b2562189728339c0d226d0d4

Download Submit
memory/964-71-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-63-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-68-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing