c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261

General

Target

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
Size

256KB
MD5

0ca6317d50f91b74ba2a115dc4518803
SHA1

361661b47807e8e48f7942d367dceb73873bdab9
SHA256

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261
SHA512

dba9aa6bebedfd2f32be686b43c0039d5f806bf68d25552a3e36ed9d7373fa9aa292a4a3a97d32cbbcb4b5ba1bd6315a899b2fc285947ff60777dd108905bd78
SSDEEP

6144:HDwyUbKwZZ48q6BvZchzVLb91EDdND8S2fr7T39ka:jwykKwP48q6NQzt98Dxs32a

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3224346.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3224346.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\322434 = "C:\\3224346\\3224346.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*22434 = "C:\\3224346\\3224346.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3224346 = "C:\\Users\\Admin\\AppData\\Roaming\\3224346.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*224346 = "C:\\Users\\Admin\\AppData\\Roaming\\3224346.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

description	pid	process	target process
PID 5000 set thread context of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

pid	process
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exeexplorer.exe

pid process

5092 c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
1540 explorer.exe

pid	process
5092	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
1540	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

pid	process
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exec58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
"C:\Users\Admin\AppData\Local\Temp\c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
C:\Users\Admin\AppData\Local\Temp\c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-138-0x0000000000000000-mapping.dmp

Download
memory/1536-139-0x0000000001200000-0x000000000122B000-memory.dmp

Filesize
172KB

Download
memory/1540-135-0x0000000000000000-mapping.dmp

Download
memory/1540-137-0x0000000000330000-0x000000000035B000-memory.dmp

Filesize
172KB

Download
memory/5000-132-0x00000000006E0000-0x00000000006E4000-memory.dmp

Filesize
16KB

Download
memory/5092-133-0x0000000000000000-mapping.dmp

Download
memory/5092-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5092-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

description	pid	process	target process
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5000 wrote to memory of 5092	5000	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe
PID 5092 wrote to memory of 1540	5092	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	explorer.exe
PID 5092 wrote to memory of 1540	5092	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	explorer.exe
PID 5092 wrote to memory of 1540	5092	c58ed52c0b9a337c47a7755f46a41e711651e853f2db667116ea07e9cb92a261.exe	explorer.exe
PID 1540 wrote to memory of 1536	1540	explorer.exe	svchost.exe
PID 1540 wrote to memory of 1536	1540	explorer.exe	svchost.exe
PID 1540 wrote to memory of 1536	1540	explorer.exe	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads