f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1

General

Target

f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
Size

65KB
MD5

6e005f820d0d5af4744efe505bb427b5
SHA1

f2b17a938743101c3cd05b77d7acd835d3d9ba91
SHA256

f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1
SHA512

3db74d04bb356a583b3d7401093e6c82450ee22746206d081abe05dfaf072248861e84269fb00cda50d71f1fe7f2c80f73b0ad22868624f741743e90ee797e59
SSDEEP

1536:KPFYgIzz2OQdfgB3KEkWAfN8pO2D1hjuWOmeVXQVVzL:BZzIQZk9fN8RjurfgV9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
732	sesdessetri.exe
4360	sesdessetri.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-134-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/5068-138-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x0007000000022e30-142.dat	upx
behavioral2/files/0x0007000000022e30-143.dat	upx
behavioral2/memory/732-147-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x0007000000022e30-150.dat	upx
behavioral2/memory/732-152-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v8.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesdessetri.exe"	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver Control Manager v8.1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sesdessetri.exe"	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 732 set thread context of 4360	732	sesdessetri.exe	86

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
732	sesdessetri.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 5068 wrote to memory of 2032	5068	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	84
PID 2032 wrote to memory of 732	2032	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	85
PID 2032 wrote to memory of 732	2032	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	85
PID 2032 wrote to memory of 732	2032	f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe	85
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86
PID 732 wrote to memory of 4360	732	sesdessetri.exe	86

C:\Users\Admin\AppData\Local\Temp\f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
"C:\Users\Admin\AppData\Local\Temp\f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe
  "C:\Users\Admin\AppData\Local\Temp\f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe
    "C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe
      "C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe"
      4⤵
      Executes dropped EXE
      PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe

Filesize
65KB

MD5
6e005f820d0d5af4744efe505bb427b5

SHA1
f2b17a938743101c3cd05b77d7acd835d3d9ba91

SHA256
f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1

SHA512
3db74d04bb356a583b3d7401093e6c82450ee22746206d081abe05dfaf072248861e84269fb00cda50d71f1fe7f2c80f73b0ad22868624f741743e90ee797e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe

Filesize
65KB

MD5
6e005f820d0d5af4744efe505bb427b5

SHA1
f2b17a938743101c3cd05b77d7acd835d3d9ba91

SHA256
f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1

SHA512
3db74d04bb356a583b3d7401093e6c82450ee22746206d081abe05dfaf072248861e84269fb00cda50d71f1fe7f2c80f73b0ad22868624f741743e90ee797e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\sesdessetri.exe

Filesize
65KB

MD5
6e005f820d0d5af4744efe505bb427b5

SHA1
f2b17a938743101c3cd05b77d7acd835d3d9ba91

SHA256
f27721237a1388d7c3f5d88213cdbc0ae88d1d1d1fcb75e6a32a93776ec991d1

SHA512
3db74d04bb356a583b3d7401093e6c82450ee22746206d081abe05dfaf072248861e84269fb00cda50d71f1fe7f2c80f73b0ad22868624f741743e90ee797e59

Download Submit
memory/732-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/732-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-146-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2032-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2032-140-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2032-139-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4360-153-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4360-154-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4360-155-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5068-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing