58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25

General

Target

58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
Size

1.2MB
MD5

2f124ecc985327a9d6301903a84934ab
SHA1

4127429360e0da12c2bfa4bbde3f36f06a25a01e
SHA256

58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25
SHA512

1a809b9addabbcb6d71d9dd841dffc1def7e2138d3f7f6bb9676cb73fd12922309198ae084ae571c3dfe510bd86e64bba379fb99aa331493d4ca272fc06087d1
SSDEEP

12288:1cwUADV+rMO8IrRiFz5dZYMUQPQvGzb7ECWEwy/yy+ns6/:TbgrMz8R25UPQPd3Egqys

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1300	KgsWaPDOAuai.exe
1112	KgsWaPDOAuai.exe

Deletes itself 1 IoCs

pid	Process
1112	KgsWaPDOAuai.exe

Loads dropped DLL 4 IoCs

pid	Process
832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
1112	KgsWaPDOAuai.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MUc7nsf6NG = "C:\\ProgramData\\ULldakdB51\\KgsWaPDOAuai.exe"	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1300 set thread context of 1112	1300	KgsWaPDOAuai.exe	29
PID 1112 set thread context of 1768	1112	KgsWaPDOAuai.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 1200 wrote to memory of 832	1200	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	27
PID 832 wrote to memory of 1300	832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	28
PID 832 wrote to memory of 1300	832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	28
PID 832 wrote to memory of 1300	832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	28
PID 832 wrote to memory of 1300	832	58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe	28
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1300 wrote to memory of 1112	1300	KgsWaPDOAuai.exe	29
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30
PID 1112 wrote to memory of 1768	1112	KgsWaPDOAuai.exe	30

C:\Users\Admin\AppData\Local\Temp\58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
"C:\Users\Admin\AppData\Local\Temp\58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe
  "C:\Users\Admin\AppData\Local\Temp\58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe
    "C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe
      "C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe" /i:1112
        5⤵
        
        PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
C:\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
2f124ecc985327a9d6301903a84934ab

SHA1
4127429360e0da12c2bfa4bbde3f36f06a25a01e

SHA256
58a03ffed9dfd1e40f33533e753a5156b4f0aea6141241c88da8092ea28f7e25

SHA512
1a809b9addabbcb6d71d9dd841dffc1def7e2138d3f7f6bb9676cb73fd12922309198ae084ae571c3dfe510bd86e64bba379fb99aa331493d4ca272fc06087d1

Download Submit
\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
\ProgramData\ULldakdB51\KgsWaPDOAuai.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
\Users\Admin\AppData\Local\Temp\Vd2qipX4OF13Fu.exe

Filesize
1.2MB

MD5
799d6f5262eaeddc34eaca9ee1e0c47f

SHA1
795e9ef99bbde6365a9886145b5c3c17c93fb784

SHA256
c9d82830d34d76f23968bd804c03cb7cc05f1524d3588ebe6c89782f1d6a1e51

SHA512
bd31dabe47edcf22880c6646da90be395d1a115679802b20374d2b5c656182c169d11114d8f13d9e89bb6eff7668c0d2ad0784fff67d164b102ef2d75278592d

Download Submit
memory/832-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1112-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1112-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1768-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1768-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing