121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa

General

Target

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
Size

384KB
MD5

e6db38cb1478e03cac0538f419fe2665
SHA1

02aaac021018b2dab2437febacf6bd98a613cd34
SHA256

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa
SHA512

2fec0ac4dfc6bfdae0adebc295b0853b2fad40872025683d8496509263021394cc89e583e0c5ade5b9ca0c3b8ce34d265a9fd531bf76b901c4a38f1819b96263
SSDEEP

6144:8cIvPZigUI7RSEYmmGrvzMLkeYSDrqxCyfk14nVif9nLdksoK1Vg0cU/4vxf3e0f:or7R0ybUYkrUCyfk14nkRLdJRXA5W0f

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe"	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

description	pid	process	target process
PID 1708 set thread context of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

pid process

1712 121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

pid process

1708 121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

pid	process
1712	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

pid	process
1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

description	pid	process	target process
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
PID 1708 wrote to memory of 1712	1708	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe	121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe

C:\Users\Admin\AppData\Local\Temp\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
"C:\Users\Admin\AppData\Local\Temp\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe
"C:\Users\Admin\AppData\Local\Temp\121ae9e466bd6c6a1227e19bf6c8348ffa099380e20f31071acaeadf4fd4b3fa.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1712-57-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1712-58-0x00000000004112DC-mapping.dmp

Download
memory/1712-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1712-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1712-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads