6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462

General

Target

6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
Size

147KB
MD5

2653b0e170899c2b5eab42d5c2f618c3
SHA1

1f6a06110ddbba0a6f752c2ffd37d20670ae59a5
SHA256

6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462
SHA512

f0901eee7c60572b9da1e21a97c627f61a7a19b38db12b4bcd1b016d79c26e64c400ec776a048e9060e075c9be0aab4c56e9c21e94a42248d7fc10d5d9d70fb1
SSDEEP

3072:/9PmZGDb1lnTikqY1jnyAsHjwwT+DqCM+mduhWc+9kHNVYDYuG:vf15uBYy2eaMv8v+9sY

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11de6622.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11de6622.exe	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de662 = "C:\\11de6622\\11de6622.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de662 = "C:\\11de6622\\11de6622.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*1de6622 = "C:\\Users\\Admin\\AppData\\Roaming\\11de6622.exe"	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 ip-addr.es
67 myexternalip.com

flow	ioc
59	ip-addr.es
67	myexternalip.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe

description	pid	process	target process
PID 364 set thread context of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exeexplorer.exe

pid process

4668 6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
2500 explorer.exe

pid	process
4668	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
2500	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exeexplorer.exe

C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
"C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
"C:\Users\Admin\AppData\Local\Temp\6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-133-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/364-135-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2060-139-0x0000000000000000-mapping.dmp

Download
memory/2060-140-0x00000000006A0000-0x00000000006C5000-memory.dmp

Filesize
148KB

Download
memory/2500-136-0x0000000000000000-mapping.dmp

Download
memory/2500-138-0x0000000000150000-0x0000000000175000-memory.dmp

Filesize
148KB

Download
memory/4668-134-0x0000000000000000-mapping.dmp

Download
memory/4668-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

description	pid	process	target process
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 364 wrote to memory of 4668	364	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe
PID 4668 wrote to memory of 2500	4668	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	explorer.exe
PID 4668 wrote to memory of 2500	4668	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	explorer.exe
PID 4668 wrote to memory of 2500	4668	6cce73ec191a3fa382ea3fce157b2cc21d5decd71db0193e07d184a5adf9b462.exe	explorer.exe
PID 2500 wrote to memory of 2060	2500	explorer.exe	svchost.exe
PID 2500 wrote to memory of 2060	2500	explorer.exe	svchost.exe
PID 2500 wrote to memory of 2060	2500	explorer.exe	svchost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads