486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b

General

Target

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
Size

244KB
MD5

796fdae3b1476ed20cdac74ca9d40973
SHA1

1067f53a9e67a61f41d649874e7c40a1e0a2cb2e
SHA256

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b
SHA512

1948b409fa2d680708ca8b839576597d24bd7a90537c7dd07f22c08ce9edd775153d00ace206565bd6012803347c9be253db04206fbb36e85e9b0997a2c39157
SSDEEP

6144:AhBgQhoowwzLDmJYIdzNjlIccwO33XdGaSb:Ah2QhpNKJYIdzNjcndGaA

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a134133.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a134133.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*13413 = "C:\\a134133\\a134133.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a134133 = "C:\\Users\\Admin\\AppData\\Roaming\\a134133.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*134133 = "C:\\Users\\Admin\\AppData\\Roaming\\a134133.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a13413 = "C:\\a134133\\a134133.exe"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

description	pid	process	target process
PID 3576 set thread context of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

pid	process
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exeexplorer.exe

pid process

776 486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
5068 explorer.exe

pid	process
776	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
5068	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

pid	process
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
"C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
  C:\Users\Admin\AppData\Local\Temp\486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      PID:5036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-132-0x0000000000000000-mapping.dmp

Download
memory/776-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/776-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3576-134-0x00000000022A0000-0x00000000022A4000-memory.dmp

Filesize
16KB

Download
memory/5036-138-0x0000000000000000-mapping.dmp

Download
memory/5036-139-0x0000000000640000-0x000000000066C000-memory.dmp

Filesize
176KB

Download
memory/5068-135-0x0000000000000000-mapping.dmp

Download
memory/5068-137-0x0000000001080000-0x00000000010AC000-memory.dmp

Filesize
176KB

Download

description	pid	process	target process
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 3576 wrote to memory of 776	3576	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe
PID 776 wrote to memory of 5068	776	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	explorer.exe
PID 776 wrote to memory of 5068	776	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	explorer.exe
PID 776 wrote to memory of 5068	776	486763428440e24a5ffb2a2b0fb799602c6e73d494efe853b306100555abc69b.exe	explorer.exe
PID 5068 wrote to memory of 5036	5068	explorer.exe	svchost.exe
PID 5068 wrote to memory of 5036	5068	explorer.exe	svchost.exe
PID 5068 wrote to memory of 5036	5068	explorer.exe	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads