8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb

General

Target

8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
Size

118KB
MD5

0ab6af1c4960a34a7ad3b6ed6025461e
SHA1

820f382b05b44a86cbf2ac762dc48db0cdc6d6ce
SHA256

8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb
SHA512

ef7ddedbb65df37b81bb96eb5bbbb8a567656895e9307f05be7f0b569044edefff887b3db05f8fa1fff5427868878c49018bd96843996f23c7ac964b5fb397d6
SSDEEP

3072:CLWTEiR+gctabvQuKbtG3ftk3j30lQqAB1kO0exnr:CLWiYTQPG3VQya6O0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1272	mxy5z9kn3.exe
2040	mxy5z9kn3.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\3rjdw7zcj = "C:\\Users\\Admin\\AppData\\Roaming\\mxy5z9kn3.exe"	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1272 set thread context of 2040	1272	mxy5z9kn3.exe	29

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1504 wrote to memory of 1588	1504	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	27
PID 1588 wrote to memory of 1272	1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	28
PID 1588 wrote to memory of 1272	1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	28
PID 1588 wrote to memory of 1272	1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	28
PID 1588 wrote to memory of 1272	1588	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	28
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29
PID 1272 wrote to memory of 2040	1272	mxy5z9kn3.exe	29

C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
"C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
  C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe
    C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe
      C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe
      4⤵
      Executes dropped EXE
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe

Filesize
118KB

MD5
3e8592bfd7488ac61ff181cb49d55a0f

SHA1
143829e8025dd2b68a63c62ba0b9e871f32f26b5

SHA256
5ca8c399dc1cc9601244168f37f3615873436955bc6c550991dcef95ed489e06

SHA512
2f15b8f2c2c9de82f42ebf4b295ef1e636ad34026c60721c0d2c2d9db00e71d477191762ef8907b9edac705ad3ef0d85149b0f2af363ee24465d7ca415c65274

Download Submit
C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe

Filesize
118KB

MD5
3e8592bfd7488ac61ff181cb49d55a0f

SHA1
143829e8025dd2b68a63c62ba0b9e871f32f26b5

SHA256
5ca8c399dc1cc9601244168f37f3615873436955bc6c550991dcef95ed489e06

SHA512
2f15b8f2c2c9de82f42ebf4b295ef1e636ad34026c60721c0d2c2d9db00e71d477191762ef8907b9edac705ad3ef0d85149b0f2af363ee24465d7ca415c65274

Download Submit
C:\Users\Admin\AppData\Roaming\mxy5z9kn3.exe

Filesize
118KB

MD5
3e8592bfd7488ac61ff181cb49d55a0f

SHA1
143829e8025dd2b68a63c62ba0b9e871f32f26b5

SHA256
5ca8c399dc1cc9601244168f37f3615873436955bc6c550991dcef95ed489e06

SHA512
2f15b8f2c2c9de82f42ebf4b295ef1e636ad34026c60721c0d2c2d9db00e71d477191762ef8907b9edac705ad3ef0d85149b0f2af363ee24465d7ca415c65274

Download Submit
\Users\Admin\AppData\Roaming\mxy5z9kn3.exe

Filesize
118KB

MD5
3e8592bfd7488ac61ff181cb49d55a0f

SHA1
143829e8025dd2b68a63c62ba0b9e871f32f26b5

SHA256
5ca8c399dc1cc9601244168f37f3615873436955bc6c550991dcef95ed489e06

SHA512
2f15b8f2c2c9de82f42ebf4b295ef1e636ad34026c60721c0d2c2d9db00e71d477191762ef8907b9edac705ad3ef0d85149b0f2af363ee24465d7ca415c65274

Download Submit
\Users\Admin\AppData\Roaming\mxy5z9kn3.exe

Filesize
118KB

MD5
3e8592bfd7488ac61ff181cb49d55a0f

SHA1
143829e8025dd2b68a63c62ba0b9e871f32f26b5

SHA256
5ca8c399dc1cc9601244168f37f3615873436955bc6c550991dcef95ed489e06

SHA512
2f15b8f2c2c9de82f42ebf4b295ef1e636ad34026c60721c0d2c2d9db00e71d477191762ef8907b9edac705ad3ef0d85149b0f2af363ee24465d7ca415c65274

Download Submit
memory/1272-63-0x0000000000000000-mapping.dmp

Download
memory/1588-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1588-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1588-59-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1588-57-0x000000000040B384-mapping.dmp

Download
memory/1588-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1588-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-69-0x000000000040B384-mapping.dmp

Download
memory/2040-75-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2040-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing