1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e

General

Target

1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
Size

1.2MB
MD5

0b2e478bd05ef972ad1a1c179bc1ffa9
SHA1

97ac1fce83af0f073c1a60fe9732504527c0aa42
SHA256

1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e
SHA512

b1785aa9c5b31db8cfeab267464fb10b4ec367bcee5a1a338296a2ab916682f1be89347f515bf0b55969bf5af3230149e2b531221eceeb12ad77a92f70c41739
SSDEEP

12288:1cwUADV+rMO8IrRiFz5dZYMUQPQvGzbblcII3krH4nvQD+:TbgrMz8R25UPQPdXlcII3vvL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1476	wUmPBm8i4NGbjwN.exe
1640	wUmPBm8i4NGbjwN.exe

Deletes itself 1 IoCs

pid	Process
1640	wUmPBm8i4NGbjwN.exe

Loads dropped DLL 4 IoCs

pid	Process
832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
1640	wUmPBm8i4NGbjwN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\fpHVZDmYQeDQAGJ = "C:\\ProgramData\\Wz124Mj5DP\\wUmPBm8i4NGbjwN.exe"	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1476 set thread context of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1640 set thread context of 1516	1640	wUmPBm8i4NGbjwN.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 1324 wrote to memory of 832	1324	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	27
PID 832 wrote to memory of 1476	832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	28
PID 832 wrote to memory of 1476	832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	28
PID 832 wrote to memory of 1476	832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	28
PID 832 wrote to memory of 1476	832	1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe	28
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1476 wrote to memory of 1640	1476	wUmPBm8i4NGbjwN.exe	29
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30
PID 1640 wrote to memory of 1516	1640	wUmPBm8i4NGbjwN.exe	30

C:\Users\Admin\AppData\Local\Temp\1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
"C:\Users\Admin\AppData\Local\Temp\1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe
    "C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe
      "C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Program Files (x86)\Windows Media Player\WMPDMC.exe
        
        "C:\Program Files (x86)\Windows Media Player\WMPDMC.exe" /i:1640
        5⤵
        
        PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
C:\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
0b2e478bd05ef972ad1a1c179bc1ffa9

SHA1
97ac1fce83af0f073c1a60fe9732504527c0aa42

SHA256
1f831416e7d5ffa7bcb5b42114cb6f8a6ec56ac86f0b70cd969936c8ddc67b2e

SHA512
b1785aa9c5b31db8cfeab267464fb10b4ec367bcee5a1a338296a2ab916682f1be89347f515bf0b55969bf5af3230149e2b531221eceeb12ad77a92f70c41739

Download Submit
\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
\ProgramData\Wz124Mj5DP\wUmPBm8i4NGbjwN.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
\Users\Admin\AppData\Local\Temp\Z7Iq9mVafwpAVib.exe

Filesize
1.2MB

MD5
701c259414464ec26d78cca9246f1285

SHA1
0da1e64b3c5f5293014f691a9a859ec6ce38bb45

SHA256
b2ab3a4f9c73a85c67aca27813d0e1b840c8bb3283015df0b9710bfdfb31bdc9

SHA512
945c48d946a3f1b703ce77cfdaa1ea04c7e579128e96932cd28011ccb9b2981974c6dbdda7975b34e4876a90388c1d3629c66aec3aab27e0ce25500dffd562ee

Download Submit
memory/832-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1516-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1516-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1640-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1640-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing