ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98

General

Target

ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
Size

375KB
MD5

4fe012a53f34f315e693ddf8a8a7cbb8
SHA1

dc38010ba1a416db24e69d745d5cbd5eec1192c5
SHA256

ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98
SHA512

f0a3bb9aedf1c7b3089fc6affa6ce0967c46762a783343cf1291500a339fd6d3807344bda0ce863c51a2caf26ccea4d4a8fcd07d499f6e9f2ac652d3849f67f6
SSDEEP

6144:8UvbxAQd6J+1i77CGTaTVEcL0Dv7isAzP5yiY2EDEtz:pKQd6Q1dGmhEcM9gz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
892	8Wwv7q9FNDpZ.exe
1648	8Wwv7q9FNDpZ.exe

Deletes itself 1 IoCs

pid	Process
1648	8Wwv7q9FNDpZ.exe

Loads dropped DLL 4 IoCs

pid	Process
1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
1648	8Wwv7q9FNDpZ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PztVA0CMV6Z = "C:\\ProgramData\\EndO8bz6eg\\8Wwv7q9FNDpZ.exe"	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 892 set thread context of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 1648 set thread context of 1444	1648	8Wwv7q9FNDpZ.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1064 wrote to memory of 1036	1064	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	27
PID 1036 wrote to memory of 892	1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	28
PID 1036 wrote to memory of 892	1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	28
PID 1036 wrote to memory of 892	1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	28
PID 1036 wrote to memory of 892	1036	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	28
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 892 wrote to memory of 1648	892	8Wwv7q9FNDpZ.exe	29
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30
PID 1648 wrote to memory of 1444	1648	8Wwv7q9FNDpZ.exe	30

C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
"C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
  "C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe
    "C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe
      "C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe" /i:1648
        5⤵
        
        PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
C:\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
\ProgramData\EndO8bz6eg\8Wwv7q9FNDpZ.exe

Filesize
375KB

MD5
4fe012a53f34f315e693ddf8a8a7cbb8

SHA1
dc38010ba1a416db24e69d745d5cbd5eec1192c5

SHA256
ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98

SHA512
f0a3bb9aedf1c7b3089fc6affa6ce0967c46762a783343cf1291500a339fd6d3807344bda0ce863c51a2caf26ccea4d4a8fcd07d499f6e9f2ac652d3849f67f6

Download Submit
\Users\Admin\AppData\Local\Temp\rd3QgHVbwYR.exe

Filesize
375KB

MD5
6dc355dd75a02ed2f1155f46565274b5

SHA1
4aefe37ed87bcf530c56f0fab3993a92ff46905e

SHA256
aaf8cefe49f0ec5105d49d6292683669de1848135283b907d6f56a900164f350

SHA512
7abfdb14d7da6dbd045a3a288181b08aa64f307a1e4d05b91019685740a8a341d9a72e25a5edcfe870543ff56f6706eb1a64d739852e193c6ffb9fe22f7d3fba

Download Submit
memory/1036-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1036-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1444-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1444-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1648-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1648-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing