123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14

General

Target

123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
Size

1.2MB
MD5

0c8dd25922ae9fbee0ebae04de6492f0
SHA1

4860fc7464f347af7b7930a71b2cb9a84001d3cf
SHA256

123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14
SHA512

ba19cb3c0d33b665acdbc6099602c25b8d64d379c0be49e18d92b802320cb99998d2665c2c0977b365e62416e2efc4b809c9032f7ab98d53226d4a49e43da9e1
SSDEEP

12288:1cwUADV+rMO8IrRiFz5dZYMUQPQvGzbsE9Q6V3rQbUp:TbgrMz8R25UPQPdDKcIU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
572	v3QP1ghvLM2t.exe
1584	v3QP1ghvLM2t.exe

Deletes itself 1 IoCs

pid	Process
1584	v3QP1ghvLM2t.exe

Loads dropped DLL 4 IoCs

pid	Process
940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
1584	v3QP1ghvLM2t.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\YRqzwx1Y = "C:\\ProgramData\\E5avvHTyvj\\v3QP1ghvLM2t.exe"	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1604 set thread context of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 572 set thread context of 1584	572	v3QP1ghvLM2t.exe	29
PID 1584 set thread context of 1800	1584	v3QP1ghvLM2t.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 1604 wrote to memory of 940	1604	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	27
PID 940 wrote to memory of 572	940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	28
PID 940 wrote to memory of 572	940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	28
PID 940 wrote to memory of 572	940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	28
PID 940 wrote to memory of 572	940	123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe	28
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 572 wrote to memory of 1584	572	v3QP1ghvLM2t.exe	29
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30
PID 1584 wrote to memory of 1800	1584	v3QP1ghvLM2t.exe	30

C:\Users\Admin\AppData\Local\Temp\123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
"C:\Users\Admin\AppData\Local\Temp\123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe
  "C:\Users\Admin\AppData\Local\Temp\123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe
    "C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe
      "C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Program Files (x86)\Windows Mail\wabmig.exe
        
        "C:\Program Files (x86)\Windows Mail\wabmig.exe" /i:1584
        5⤵
        
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
C:\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
\ProgramData\E5avvHTyvj\v3QP1ghvLM2t.exe

Filesize
1.2MB

MD5
0c8dd25922ae9fbee0ebae04de6492f0

SHA1
4860fc7464f347af7b7930a71b2cb9a84001d3cf

SHA256
123ae743ccbf905187620ee0ab2001f08f8acdc71acfe2f69e4bf02f4baf0d14

SHA512
ba19cb3c0d33b665acdbc6099602c25b8d64d379c0be49e18d92b802320cb99998d2665c2c0977b365e62416e2efc4b809c9032f7ab98d53226d4a49e43da9e1

Download Submit
\Users\Admin\AppData\Local\Temp\QdRCZt6L.exe

Filesize
1.2MB

MD5
ff41d1fb0a012d4a01e758905fd7987e

SHA1
9ba789521dadb48e9c93a7902c24a006a3d0b763

SHA256
bb10997aaa1ba64f170547c15a98e2981ec059baa5081392696aab61c982381d

SHA512
7bc410a4c812f40a546d62222c94256fa2b649e91407efab1802b0664d428860b2efe04cdb5659bd69847596a60b5bc144b162c4706bb0ed666bad687052ee6b

Download Submit
memory/940-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1604-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1800-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1800-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing