56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca

General

Target

56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
Size

351KB
MD5

bffb04890d8df7e4afdc1d5dfcb3248a
SHA1

10dd863a8314dcd0ea685c4c9425a80423bc81d1
SHA256

56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca
SHA512

54e443f028d043d57ff81affe51fc54ef3630ef326209d2263433c4fe80b3c34c1da82e7f8e6054f819f34c917e8632875c87b8b67058864dc37567fbeb82b11
SSDEEP

6144:Z3c4cg0RO2MzGYfGAAUkPlBDdIKTss+daU1yFKhPozGafzD:ZiBTMCYuAAf9ow1+daMyFFaafv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1760	ECFs098AK.exe
1304	ECFs098AK.exe

Deletes itself 1 IoCs

pid	Process
1304	ECFs098AK.exe

Loads dropped DLL 4 IoCs

pid	Process
776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
1304	ECFs098AK.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\G2tUpMukuStslaS = "C:\\ProgramData\\atGn4JEoj\\ECFs098AK.exe"	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 476 set thread context of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 1760 set thread context of 1304	1760	ECFs098AK.exe	30
PID 1304 set thread context of 1672	1304	ECFs098AK.exe	32

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 476 wrote to memory of 776	476	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	28
PID 776 wrote to memory of 1760	776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	29
PID 776 wrote to memory of 1760	776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	29
PID 776 wrote to memory of 1760	776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	29
PID 776 wrote to memory of 1760	776	56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe	29
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1760 wrote to memory of 1304	1760	ECFs098AK.exe	30
PID 1304 wrote to memory of 1744	1304	ECFs098AK.exe	31
PID 1304 wrote to memory of 1744	1304	ECFs098AK.exe	31
PID 1304 wrote to memory of 1744	1304	ECFs098AK.exe	31
PID 1304 wrote to memory of 1744	1304	ECFs098AK.exe	31
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32
PID 1304 wrote to memory of 1672	1304	ECFs098AK.exe	32

C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
"C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:476
- C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe
  "C:\Users\Admin\AppData\Local\Temp\56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\ProgramData\atGn4JEoj\ECFs098AK.exe
    "C:\ProgramData\atGn4JEoj\ECFs098AK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\ProgramData\atGn4JEoj\ECFs098AK.exe
      "C:\ProgramData\atGn4JEoj\ECFs098AK.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /i:1304
        5⤵
        
        PID:1744
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" /i:1304
        5⤵
        
        PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
C:\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
C:\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
\ProgramData\atGn4JEoj\ECFs098AK.exe

Filesize
351KB

MD5
bffb04890d8df7e4afdc1d5dfcb3248a

SHA1
10dd863a8314dcd0ea685c4c9425a80423bc81d1

SHA256
56b6b6434cbfb49648cca4a3b73e574f524958137951a6a81908440cea3072ca

SHA512
54e443f028d043d57ff81affe51fc54ef3630ef326209d2263433c4fe80b3c34c1da82e7f8e6054f819f34c917e8632875c87b8b67058864dc37567fbeb82b11

Download Submit
\Users\Admin\AppData\Local\Temp\4U0WngX9D5eCf78H.exe

Filesize
351KB

MD5
5a1c4b11cfe5bd389b2da7fcda1e0e3c

SHA1
05dad81e3ab2e292713969680cff2abe87b22234

SHA256
58e0f072970c60203e4bf0c806069f24a38a816920924ccde901bce6bddf48aa

SHA512
f386fc5eb8521d006b9f35dfca57141dfc13013f6aebeb2bceea415cacec08c11c440501236cf3f3053d161bbc033e9fbef4f9dd6f34e12c985dfe05c7072ea4

Download Submit
memory/776-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/776-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1304-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1304-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1304-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing