8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2

General

Target

8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
Size

292KB
MD5

af5dbf0f1e55e49fbfec8307ad21f3e5
SHA1

4e42594427bca5ddcfc7a55ad39d384235bd3407
SHA256

8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2
SHA512

34bfaf1c1a174ba6976787a107cc0e2972f526315ff494c7491de33d2f3dc4f1c4ccf53dcbfddc55b4c23c56bb10df7f8212bb72bbcdf93bd15bfb3b4bdff22c
SSDEEP

6144:3U8Mp5HO/xoqpoKKOboeNnWyFaUtRsM31583Dk:rMpF+NSHIoetFdRs+15r

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "Rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\unicode2.nls\",0"	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

description	pid	process	target process
PID 1240 set thread context of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

description	pid	process	target process
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
PID 1240 wrote to memory of 1728	1240	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe	8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe

C:\Users\Admin\AppData\Local\Temp\8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
"C:\Users\Admin\AppData\Local\Temp\8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
C:\Users\Admin\AppData\Local\Temp\8f89f8dae0e1225064d13107a5dea3a7885131f5f444e1b4f7285877c8afc5b2.exe
2⤵
- Adds Run key to start application
PID:1728

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1728-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-64-0x000000000040AF78-mapping.dmp

Download
memory/1728-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-67-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads