6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad

General

Target

6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe
Size

124KB
MD5

0cb31cf501e1d0cfe6e0a26df5525850
SHA1

75d6092570e384c7a0578f0bde286362eea32844
SHA256

6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad
SHA512

d28934edd537f6ba4f562806f1a40eb90d754c2caa4974d772e8b4c79a728382133c3d5b13bdaf5f7401e4ad8b1f59faaf7589821d3b6e7b065a82bc1375c82a
SSDEEP

1536:vLBYbzcsgkNn4jnstTfIGsXbJyBnZuZ27ogIlt7TeNJOSA5mEY7X05uHaW34k5RZ:zLjnstTf9ZuZ2MgGwQ/2auHaFq4UvJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3992	rtiu1rf.exe
3568	rtiu1rf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8vj = "C:\\Users\\Admin\\AppData\\Roaming\\rtiu1rf.exe"	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 3992 set thread context of 3568	3992	rtiu1rf.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3424	1380	WerFault.exe	82
3084	3992	WerFault.exe	86

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 1380 wrote to memory of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 1380 wrote to memory of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 1380 wrote to memory of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 1380 wrote to memory of 4208	1380	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	83
PID 4208 wrote to memory of 3992	4208	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	86
PID 4208 wrote to memory of 3992	4208	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	86
PID 4208 wrote to memory of 3992	4208	6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe	86
PID 3992 wrote to memory of 3568	3992	rtiu1rf.exe	87
PID 3992 wrote to memory of 3568	3992	rtiu1rf.exe	87
PID 3992 wrote to memory of 3568	3992	rtiu1rf.exe	87
PID 3992 wrote to memory of 3568	3992	rtiu1rf.exe	87
PID 3992 wrote to memory of 3568	3992	rtiu1rf.exe	87

C:\Users\Admin\AppData\Local\Temp\6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe
"C:\Users\Admin\AppData\Local\Temp\6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe
  C:\Users\Admin\AppData\Local\Temp\6c9d80521de98292ff5c53d7ae6ce0bb29d8814182a6c8adc8595b98e8833aad.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
    C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
      C:\Users\Admin\AppData\Roaming\rtiu1rf.exe
      4⤵
      Executes dropped EXE
      PID:3568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 312
      4⤵
      Program crash
      PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 304
  2⤵
  - Program crash
  PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1380 -ip 1380
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3992 -ip 3992
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
124KB

MD5
5d416417c97c2de9c219fc68c5ae6875

SHA1
7fe7d8ae6ed477af78c8ed507a8ba7bec6acc517

SHA256
307da99e3f7d0da7a3e679acb645c63a2de33a37d72f32b0090c29c108ebe3bb

SHA512
707dcb9cb2e1a42637ddf1b89527d2ae60c0b67916ee397f6b377ebfe10aeccd4dd2e01e139da90480c2b1b7d098f718536206bb70ddd1486496ef19b9b25adc

Download Submit
C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
124KB

MD5
5d416417c97c2de9c219fc68c5ae6875

SHA1
7fe7d8ae6ed477af78c8ed507a8ba7bec6acc517

SHA256
307da99e3f7d0da7a3e679acb645c63a2de33a37d72f32b0090c29c108ebe3bb

SHA512
707dcb9cb2e1a42637ddf1b89527d2ae60c0b67916ee397f6b377ebfe10aeccd4dd2e01e139da90480c2b1b7d098f718536206bb70ddd1486496ef19b9b25adc

Download Submit
C:\Users\Admin\AppData\Roaming\rtiu1rf.exe

Filesize
124KB

MD5
5d416417c97c2de9c219fc68c5ae6875

SHA1
7fe7d8ae6ed477af78c8ed507a8ba7bec6acc517

SHA256
307da99e3f7d0da7a3e679acb645c63a2de33a37d72f32b0090c29c108ebe3bb

SHA512
707dcb9cb2e1a42637ddf1b89527d2ae60c0b67916ee397f6b377ebfe10aeccd4dd2e01e139da90480c2b1b7d098f718536206bb70ddd1486496ef19b9b25adc

Download Submit
memory/3568-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3568-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4208-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing