44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453

General

Target

44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
Size

68KB
MD5

4a4c2a2938724af299bdbe7907dff657
SHA1

924c3310ec150da3e4778ed12c0b78f2a24e7a9b
SHA256

44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453
SHA512

93ee65139152a268f8b170251c15ebe8eb97b1f8e90ff4eae719b93304f12f82f1aca83919ede59c1ccc9fc3cdd96f1c896dacab3f9ce6afce5df5c74f9853fc
SSDEEP

1536:NGUQT9Jp6dliEq8VsIODHX86nNkPC7uUu:47pYliDAv4HX86ne9

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remote Security Manager = "C:\\Users\\Admin\\AppData\\Roaming\\RECYCLER\\svchost.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

description	pid	process	target process
PID 1140 set thread context of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

pid process

996 44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

pid	process
996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe

description	pid	process	target process
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 1140 wrote to memory of 996	1140	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe
PID 996 wrote to memory of 268	996	44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
"C:\Users\Admin\AppData\Local\Temp\44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe
"C:\Users\Admin\AppData\Local\Temp\44a5c10b4edaa66df39852179e15362d060036b7d73609156409452f2c7d5453.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-55-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-59-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-60-0x0000000000403870-mapping.dmp

Download
memory/996-62-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/996-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/996-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads