0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f

General

Target

0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
Size

250KB
MD5

0abf508b51b95471c694f7a509179b19
SHA1

5d01020dfe6043437e93a812edc1fb49d04c0b2e
SHA256

0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f
SHA512

e3ee0d85861ddd1911d44cf7030b75119d26fdfd610ef17d6093995b994904b9e3f73ffa15e14581328c0f6b509137eb235702649542707804cfde7bff4ea06f
SSDEEP

6144:oxZ39gKTDKvQ3CVtlN2B3abwgADEdHhC1/pWUB/Zp35+fLA:orP6vQ3Ct328MgADEdBC/VRpJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
112	WI5w5U21.exe
908	WI5w5U21.exe

Deletes itself 1 IoCs

pid	Process
908	WI5w5U21.exe

Loads dropped DLL 4 IoCs

pid	Process
1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
908	WI5w5U21.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\RggjZod9 = "C:\\ProgramData\\Br7FCvam\\WI5w5U21.exe"	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 112 set thread context of 908	112	WI5w5U21.exe	29
PID 908 set thread context of 1120	908	WI5w5U21.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1720 wrote to memory of 1300	1720	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	27
PID 1300 wrote to memory of 112	1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	28
PID 1300 wrote to memory of 112	1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	28
PID 1300 wrote to memory of 112	1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	28
PID 1300 wrote to memory of 112	1300	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	28
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 112 wrote to memory of 908	112	WI5w5U21.exe	29
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30
PID 908 wrote to memory of 1120	908	WI5w5U21.exe	30

C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
"C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
  "C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\ProgramData\Br7FCvam\WI5w5U21.exe
    "C:\ProgramData\Br7FCvam\WI5w5U21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\ProgramData\Br7FCvam\WI5w5U21.exe
      "C:\ProgramData\Br7FCvam\WI5w5U21.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /i:908
        5⤵
        
        PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
C:\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
C:\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
\ProgramData\Br7FCvam\WI5w5U21.exe

Filesize
250KB

MD5
0abf508b51b95471c694f7a509179b19

SHA1
5d01020dfe6043437e93a812edc1fb49d04c0b2e

SHA256
0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f

SHA512
e3ee0d85861ddd1911d44cf7030b75119d26fdfd610ef17d6093995b994904b9e3f73ffa15e14581328c0f6b509137eb235702649542707804cfde7bff4ea06f

Download Submit
\Users\Admin\AppData\Local\Temp\Y4xWDQ5p.exe

Filesize
250KB

MD5
3856902ab8404d472c99d4aab27b0573

SHA1
76d6175c5f01274bf79b36bf714573dcea4a13a9

SHA256
0ff459c2a3d98a872133665454fee9878beff72820f0b979dadcf1c9278d6540

SHA512
39ca52d5a08b06fdfb3966f9534889dd45d9711d6fed8b2d0a9a35c93d4166c9574c2c88e013c7b577a9bacc38bad2f703c07b8dd3cb0893486277bce28bc789

Download Submit
memory/908-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/908-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1120-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1120-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1300-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing