39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb

General

Target

39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
Size

276KB
MD5

96e0484ee4103c3f7e1e8d74f3f9a7a4
SHA1

516c6f171762b8c4c4396aed58e8621049a75438
SHA256

39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb
SHA512

4b549bd894debe65dc612f374ecded82afe9952a7c2707dbdf82525c67bac074a18474e00241fb103cc8ad5a986360424a83638b6e0557bf3f4d899ffb931c7a
SSDEEP

6144:4L1fuessTEY5qbsxwUnLobneir+iiHIGGCGpZ:4Lpsz4wUL4neir+oZ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe

pid process

236 39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe

pid	process
236	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe = "C:\\Windows\\system32\\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe"	reg.exe

Drops file in System32 directory 4 IoCs

Processes:

39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
File opened for modification	C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
File opened for modification	C:\Windows\SysWOW64\ok.bat	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
File created	C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 4876	960	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	cmd.exe
PID 960 wrote to memory of 4876	960	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	cmd.exe
PID 960 wrote to memory of 4876	960	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe	cmd.exe
PID 4876 wrote to memory of 236	4876	cmd.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
PID 4876 wrote to memory of 236	4876	cmd.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
PID 4876 wrote to memory of 236	4876	cmd.exe	39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
PID 4876 wrote to memory of 2424	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 2424	4876	cmd.exe	reg.exe
PID 4876 wrote to memory of 2424	4876	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
"C:\Users\Admin\AppData\Local\Temp\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\ok.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
C:\Windows\system32\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:236

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe" /t REG_SZ /F /D "C:\Windows\system32\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe"
3⤵
- Adds Run key to start application
PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
Filesize
276KB

MD5
96e0484ee4103c3f7e1e8d74f3f9a7a4

SHA1
516c6f171762b8c4c4396aed58e8621049a75438

SHA256
39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb

SHA512
4b549bd894debe65dc612f374ecded82afe9952a7c2707dbdf82525c67bac074a18474e00241fb103cc8ad5a986360424a83638b6e0557bf3f4d899ffb931c7a

Download Submit
C:\Windows\SysWOW64\39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb.exe
Filesize
276KB

MD5
96e0484ee4103c3f7e1e8d74f3f9a7a4

SHA1
516c6f171762b8c4c4396aed58e8621049a75438

SHA256
39860602b4c4849d70d2cf7f1863b5d4a4d252c93100ead2f5eca495b98e2ccb

SHA512
4b549bd894debe65dc612f374ecded82afe9952a7c2707dbdf82525c67bac074a18474e00241fb103cc8ad5a986360424a83638b6e0557bf3f4d899ffb931c7a

Download Submit
C:\Windows\SysWOW64\ok.bat
Filesize
481B

MD5
4ba6410020349f8537b1f68c0b3b93e5

SHA1
c25f298d57a12173e6defb404a939d08086ed2d4

SHA256
571d01799fde38921c58ca0694ee6b3e14679da5bb5fc7956c423531269157fb

SHA512
b3b3802e8376431ca9775aa2f72c54dbcf298f00a9423294c9e6acb1f5e4dd070c589b30c8cb2b5e03d22825da2cb3bfa3d5def4263ff9db6b3188f2095dd9a0

Download Submit
memory/236-134-0x0000000000000000-mapping.dmp

Download
memory/2424-137-0x0000000000000000-mapping.dmp

Download
memory/4876-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads