9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae

General

Target

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
Size

277KB
MD5

1dec533464e822a43b0a8160b910d910
SHA1

6709c297dafa871c54989569779c828a326f26d2
SHA256

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae
SHA512

7b1724e1f5e7191e10c60155b3c790e0d6f760049c264d76d6e73eedcc37bb69c883105fbd4cd74fb5c788da0540950ac2871fa126392b2bffab1f5a431ea13a
SSDEEP

6144:edTPNP/JvZ3oqXAhD/rqs9SXZ0PE2hWXsQ:epVPxvZ3oqXk9YZ0M3

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\681de19.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\681de19.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\681de1 = "C:\\681de19\\681de19.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*81de1 = "C:\\681de19\\681de19.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\681de19 = "C:\\Users\\Admin\\AppData\\Roaming\\681de19.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*81de19 = "C:\\Users\\Admin\\AppData\\Roaming\\681de19.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

description	pid	process	target process
PID 3248 set thread context of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

pid	process
3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exeexplorer.exe

pid process

2656 9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
2964 explorer.exe

pid	process
2656	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
2964	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
"C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
"C:\Users\Admin\AppData\Local\Temp\9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2656-132-0x0000000000000000-mapping.dmp

Download
memory/2656-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2656-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-138-0x0000000000000000-mapping.dmp

Download
memory/2692-139-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/2692-140-0x0000000000B80000-0x0000000000BA0000-memory.dmp

Filesize
128KB

Download
memory/2964-135-0x0000000000000000-mapping.dmp

Download
memory/2964-137-0x0000000000B30000-0x0000000000B50000-memory.dmp

Filesize
128KB

Download
memory/3248-134-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download

description	pid	process	target process
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 3248 wrote to memory of 2656	3248	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe
PID 2656 wrote to memory of 2964	2656	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 2656 wrote to memory of 2964	2656	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 2656 wrote to memory of 2964	2656	9aca721c7aa4e8e01894daabd4feeb2ada9685e75a2b948c6d3c29eafb03b8ae.exe	explorer.exe
PID 2964 wrote to memory of 2692	2964	explorer.exe	svchost.exe
PID 2964 wrote to memory of 2692	2964	explorer.exe	svchost.exe
PID 2964 wrote to memory of 2692	2964	explorer.exe	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads