8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb

General

Target

8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
Size

118KB
MD5

0ab6af1c4960a34a7ad3b6ed6025461e
SHA1

820f382b05b44a86cbf2ac762dc48db0cdc6d6ce
SHA256

8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb
SHA512

ef7ddedbb65df37b81bb96eb5bbbb8a567656895e9307f05be7f0b569044edefff887b3db05f8fa1fff5427868878c49018bd96843996f23c7ac964b5fb397d6
SSDEEP

3072:CLWTEiR+gctabvQuKbtG3ftk3j30lQqAB1kO0exnr:CLWiYTQPG3VQya6O0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
524	x9el0.exe
1020	x9el0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5k4ffdabvh = "C:\\Users\\Admin\\AppData\\Roaming\\x9el0.exe"	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 524 set thread context of 1020	524	x9el0.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1836	4000	WerFault.exe	81
396	524	WerFault.exe	85

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 4000 wrote to memory of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 4000 wrote to memory of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 4000 wrote to memory of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 4000 wrote to memory of 364	4000	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	82
PID 364 wrote to memory of 524	364	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	85
PID 364 wrote to memory of 524	364	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	85
PID 364 wrote to memory of 524	364	8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe	85
PID 524 wrote to memory of 1020	524	x9el0.exe	86
PID 524 wrote to memory of 1020	524	x9el0.exe	86
PID 524 wrote to memory of 1020	524	x9el0.exe	86
PID 524 wrote to memory of 1020	524	x9el0.exe	86
PID 524 wrote to memory of 1020	524	x9el0.exe	86

C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
"C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
  C:\Users\Admin\AppData\Local\Temp\8b621edfc6fa3695a3b60ec40bb9a2c2da6de7568cd5f63b22d7007d06ebbffb.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Roaming\x9el0.exe
    C:\Users\Admin\AppData\Roaming\x9el0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Users\Admin\AppData\Roaming\x9el0.exe
      C:\Users\Admin\AppData\Roaming\x9el0.exe
      4⤵
      Executes dropped EXE
      PID:1020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 292
      4⤵
      Program crash
      PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 292
  2⤵
  - Program crash
  PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4000 -ip 4000
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 524 -ip 524
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
0cbc977492f5d4dd12eed31f05dfc925

SHA1
cc3bf8a45f091d8eb0461e78a834623962fd7811

SHA256
522f580985e2c59ec20027086345a9eda2b0ade71600fabe8643dea888d7bb7b

SHA512
d2ac645babd72bdf097bc472286412e0e97a442486fe81ccf2162c4defd0840c327e6ee7192c7fdb6a63c2e2b7f3038f399d2f581a42e506d3e00545596f25f2

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
0cbc977492f5d4dd12eed31f05dfc925

SHA1
cc3bf8a45f091d8eb0461e78a834623962fd7811

SHA256
522f580985e2c59ec20027086345a9eda2b0ade71600fabe8643dea888d7bb7b

SHA512
d2ac645babd72bdf097bc472286412e0e97a442486fe81ccf2162c4defd0840c327e6ee7192c7fdb6a63c2e2b7f3038f399d2f581a42e506d3e00545596f25f2

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
0cbc977492f5d4dd12eed31f05dfc925

SHA1
cc3bf8a45f091d8eb0461e78a834623962fd7811

SHA256
522f580985e2c59ec20027086345a9eda2b0ade71600fabe8643dea888d7bb7b

SHA512
d2ac645babd72bdf097bc472286412e0e97a442486fe81ccf2162c4defd0840c327e6ee7192c7fdb6a63c2e2b7f3038f399d2f581a42e506d3e00545596f25f2

Download Submit
memory/364-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/364-132-0x0000000000000000-mapping.dmp

Download
memory/364-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/364-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/364-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/524-136-0x0000000000000000-mapping.dmp

Download
memory/1020-139-0x0000000000000000-mapping.dmp

Download
memory/1020-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1020-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1020-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1020-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing