0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f

General

Target

0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
Size

250KB
MD5

0abf508b51b95471c694f7a509179b19
SHA1

5d01020dfe6043437e93a812edc1fb49d04c0b2e
SHA256

0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f
SHA512

e3ee0d85861ddd1911d44cf7030b75119d26fdfd610ef17d6093995b994904b9e3f73ffa15e14581328c0f6b509137eb235702649542707804cfde7bff4ea06f
SSDEEP

6144:oxZ39gKTDKvQ3CVtlN2B3abwgADEdHhC1/pWUB/Zp35+fLA:orP6vQ3Ct328MgADEdBC/VRpJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1772	5TBFhjkCoVN.exe
1976	5TBFhjkCoVN.exe

Loads dropped DLL 4 IoCs

pid	Process
896	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
896	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
1976	5TBFhjkCoVN.exe
1976	5TBFhjkCoVN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jxtWb9nBErLxs = "C:\\ProgramData\\86XXLOs5Hs\\5TBFhjkCoVN.exe"	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 1772 set thread context of 1976	1772	5TBFhjkCoVN.exe	80
PID 1976 set thread context of 3556	1976	5TBFhjkCoVN.exe	82

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 4960 wrote to memory of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 4960 wrote to memory of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 4960 wrote to memory of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 4960 wrote to memory of 896	4960	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	78
PID 896 wrote to memory of 1772	896	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	79
PID 896 wrote to memory of 1772	896	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	79
PID 896 wrote to memory of 1772	896	0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe	79
PID 1772 wrote to memory of 1976	1772	5TBFhjkCoVN.exe	80
PID 1772 wrote to memory of 1976	1772	5TBFhjkCoVN.exe	80
PID 1772 wrote to memory of 1976	1772	5TBFhjkCoVN.exe	80
PID 1772 wrote to memory of 1976	1772	5TBFhjkCoVN.exe	80
PID 1772 wrote to memory of 1976	1772	5TBFhjkCoVN.exe	80
PID 1976 wrote to memory of 3556	1976	5TBFhjkCoVN.exe	82
PID 1976 wrote to memory of 3556	1976	5TBFhjkCoVN.exe	82
PID 1976 wrote to memory of 3556	1976	5TBFhjkCoVN.exe	82
PID 1976 wrote to memory of 3556	1976	5TBFhjkCoVN.exe	82
PID 1976 wrote to memory of 3556	1976	5TBFhjkCoVN.exe	82

C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
"C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe
  "C:\Users\Admin\AppData\Local\Temp\0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe
    "C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe
      "C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" /i:1976
        5⤵
        
        PID:3556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe

Filesize
250KB

MD5
0abf508b51b95471c694f7a509179b19

SHA1
5d01020dfe6043437e93a812edc1fb49d04c0b2e

SHA256
0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f

SHA512
e3ee0d85861ddd1911d44cf7030b75119d26fdfd610ef17d6093995b994904b9e3f73ffa15e14581328c0f6b509137eb235702649542707804cfde7bff4ea06f

Download Submit
C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe

Filesize
250KB

MD5
0abf508b51b95471c694f7a509179b19

SHA1
5d01020dfe6043437e93a812edc1fb49d04c0b2e

SHA256
0490dbf0a186a89514eeb9a9bf868aa8bca1ab563f96a0419709b24c00532c1f

SHA512
e3ee0d85861ddd1911d44cf7030b75119d26fdfd610ef17d6093995b994904b9e3f73ffa15e14581328c0f6b509137eb235702649542707804cfde7bff4ea06f

Download Submit
C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe

Filesize
250KB

MD5
2a9f82f8675c781db8eb4b4ab4b3b183

SHA1
a9f513b3941388a3cb530c1a8735ff3233d9bf7b

SHA256
c1ea848343ce131d9ac5600e3554f9b2f7d949731c67e9db2f002dff69b31c98

SHA512
505a14a9b4ef7f60da6ff371cce0e8e47e2b1bc53e4c6332aa39cb094e378defd52987fc0d6660a22b3557d07919d63a4ae42c4af780f6917748f49e9265364b

Download Submit
C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe

Filesize
250KB

MD5
2a9f82f8675c781db8eb4b4ab4b3b183

SHA1
a9f513b3941388a3cb530c1a8735ff3233d9bf7b

SHA256
c1ea848343ce131d9ac5600e3554f9b2f7d949731c67e9db2f002dff69b31c98

SHA512
505a14a9b4ef7f60da6ff371cce0e8e47e2b1bc53e4c6332aa39cb094e378defd52987fc0d6660a22b3557d07919d63a4ae42c4af780f6917748f49e9265364b

Download Submit
C:\ProgramData\86XXLOs5Hs\5TBFhjkCoVN.exe

Filesize
250KB

MD5
2a9f82f8675c781db8eb4b4ab4b3b183

SHA1
a9f513b3941388a3cb530c1a8735ff3233d9bf7b

SHA256
c1ea848343ce131d9ac5600e3554f9b2f7d949731c67e9db2f002dff69b31c98

SHA512
505a14a9b4ef7f60da6ff371cce0e8e47e2b1bc53e4c6332aa39cb094e378defd52987fc0d6660a22b3557d07919d63a4ae42c4af780f6917748f49e9265364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgf10jnq6iJp6.exe

Filesize
250KB

MD5
2a9f82f8675c781db8eb4b4ab4b3b183

SHA1
a9f513b3941388a3cb530c1a8735ff3233d9bf7b

SHA256
c1ea848343ce131d9ac5600e3554f9b2f7d949731c67e9db2f002dff69b31c98

SHA512
505a14a9b4ef7f60da6ff371cce0e8e47e2b1bc53e4c6332aa39cb094e378defd52987fc0d6660a22b3557d07919d63a4ae42c4af780f6917748f49e9265364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgf10jnq6iJp6.exe

Filesize
250KB

MD5
2a9f82f8675c781db8eb4b4ab4b3b183

SHA1
a9f513b3941388a3cb530c1a8735ff3233d9bf7b

SHA256
c1ea848343ce131d9ac5600e3554f9b2f7d949731c67e9db2f002dff69b31c98

SHA512
505a14a9b4ef7f60da6ff371cce0e8e47e2b1bc53e4c6332aa39cb094e378defd52987fc0d6660a22b3557d07919d63a4ae42c4af780f6917748f49e9265364b

Download Submit
memory/896-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/896-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/896-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/896-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/896-146-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1976-148-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1976-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1976-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3556-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3556-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing