862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a

General

Target

862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
Size

132KB
MD5

917067692a2ede11a88ad5ca3480644d
SHA1

158d93977fa4a2a28cebf6ba149d8015a7eeb6db
SHA256

862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a
SHA512

0370ee6184e9506bb21a6c1c25647554f468791615975f1b2ab92caf49c44ed9890722e403d927b55795a7a596a271e9d461c61cb8df8a73a2967313dc474b3d
SSDEEP

1536:w5iBob+w76Mj+wpw7/BUctSqIOevWFODz8OKh1YjNvDaPLABapUL0AGeujS97VqT:EbDi5UctznIHnK8ZLo7UYAGW9o

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1768	taskhost.exe
1976	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1768 set thread context of 1976	1768	taskhost.exe	29

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1104 wrote to memory of 1620	1104	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	27
PID 1620 wrote to memory of 1768	1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	28
PID 1620 wrote to memory of 1768	1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	28
PID 1620 wrote to memory of 1768	1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	28
PID 1620 wrote to memory of 1768	1620	862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe	28
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29
PID 1768 wrote to memory of 1976	1768	taskhost.exe	29

C:\Users\Admin\AppData\Local\Temp\862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
"C:\Users\Admin\AppData\Local\Temp\862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
  C:\Users\Admin\AppData\Local\Temp\862b6e7fba1a8f9ff99ce9e3e1bb917cd102a618c62e2fbcbb93d363e7d4d18a.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
616f570b3d880753c0654a8fe7a71df4

SHA1
be9fe2be65c463fef1d483ce6445fb2be7371d14

SHA256
07bdae9deb3181a8ac0be818c70e04502daa01514f5093a2b112a2399f656bc5

SHA512
13d570596a11b0c2a671e0764662c84bb078328a4a5f87101d85fb51cfd717b519f4585986564b1bb6de035f63305bcc76cb5331fe02725532727ba9725af30f

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
616f570b3d880753c0654a8fe7a71df4

SHA1
be9fe2be65c463fef1d483ce6445fb2be7371d14

SHA256
07bdae9deb3181a8ac0be818c70e04502daa01514f5093a2b112a2399f656bc5

SHA512
13d570596a11b0c2a671e0764662c84bb078328a4a5f87101d85fb51cfd717b519f4585986564b1bb6de035f63305bcc76cb5331fe02725532727ba9725af30f

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
616f570b3d880753c0654a8fe7a71df4

SHA1
be9fe2be65c463fef1d483ce6445fb2be7371d14

SHA256
07bdae9deb3181a8ac0be818c70e04502daa01514f5093a2b112a2399f656bc5

SHA512
13d570596a11b0c2a671e0764662c84bb078328a4a5f87101d85fb51cfd717b519f4585986564b1bb6de035f63305bcc76cb5331fe02725532727ba9725af30f

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
616f570b3d880753c0654a8fe7a71df4

SHA1
be9fe2be65c463fef1d483ce6445fb2be7371d14

SHA256
07bdae9deb3181a8ac0be818c70e04502daa01514f5093a2b112a2399f656bc5

SHA512
13d570596a11b0c2a671e0764662c84bb078328a4a5f87101d85fb51cfd717b519f4585986564b1bb6de035f63305bcc76cb5331fe02725532727ba9725af30f

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
616f570b3d880753c0654a8fe7a71df4

SHA1
be9fe2be65c463fef1d483ce6445fb2be7371d14

SHA256
07bdae9deb3181a8ac0be818c70e04502daa01514f5093a2b112a2399f656bc5

SHA512
13d570596a11b0c2a671e0764662c84bb078328a4a5f87101d85fb51cfd717b519f4585986564b1bb6de035f63305bcc76cb5331fe02725532727ba9725af30f

Download Submit
memory/1620-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-59-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1620-57-0x000000000040B6D6-mapping.dmp

Download
memory/1620-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1620-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1768-63-0x0000000000000000-mapping.dmp

Download
memory/1976-69-0x000000000040B6D6-mapping.dmp

Download
memory/1976-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing