ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98

General

Target

ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
Size

375KB
MD5

4fe012a53f34f315e693ddf8a8a7cbb8
SHA1

dc38010ba1a416db24e69d745d5cbd5eec1192c5
SHA256

ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98
SHA512

f0a3bb9aedf1c7b3089fc6affa6ce0967c46762a783343cf1291500a339fd6d3807344bda0ce863c51a2caf26ccea4d4a8fcd07d499f6e9f2ac652d3849f67f6
SSDEEP

6144:8UvbxAQd6J+1i77CGTaTVEcL0Dv7isAzP5yiY2EDEtz:pKQd6Q1dGmhEcM9gz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1680	Nj3PpiORsUHm.exe
1684	Nj3PpiORsUHm.exe

Loads dropped DLL 4 IoCs

pid	Process
1128	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
1128	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
1684	Nj3PpiORsUHm.exe
1684	Nj3PpiORsUHm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keZSrKItbqf8XI = "C:\\ProgramData\\MqW1CWM0BqU6ni7f\\Nj3PpiORsUHm.exe"	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1680 set thread context of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1684 set thread context of 4420	1684	Nj3PpiORsUHm.exe	82

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1032 wrote to memory of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1032 wrote to memory of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1032 wrote to memory of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1032 wrote to memory of 1128	1032	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	79
PID 1128 wrote to memory of 1680	1128	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	80
PID 1128 wrote to memory of 1680	1128	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	80
PID 1128 wrote to memory of 1680	1128	ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe	80
PID 1680 wrote to memory of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1680 wrote to memory of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1680 wrote to memory of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1680 wrote to memory of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1680 wrote to memory of 1684	1680	Nj3PpiORsUHm.exe	81
PID 1684 wrote to memory of 4420	1684	Nj3PpiORsUHm.exe	82
PID 1684 wrote to memory of 4420	1684	Nj3PpiORsUHm.exe	82
PID 1684 wrote to memory of 4420	1684	Nj3PpiORsUHm.exe	82
PID 1684 wrote to memory of 4420	1684	Nj3PpiORsUHm.exe	82
PID 1684 wrote to memory of 4420	1684	Nj3PpiORsUHm.exe	82

C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
"C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe
  "C:\Users\Admin\AppData\Local\Temp\ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe
    "C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe
      "C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe" /i:1684
        5⤵
        
        PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe

Filesize
375KB

MD5
4fe012a53f34f315e693ddf8a8a7cbb8

SHA1
dc38010ba1a416db24e69d745d5cbd5eec1192c5

SHA256
ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98

SHA512
f0a3bb9aedf1c7b3089fc6affa6ce0967c46762a783343cf1291500a339fd6d3807344bda0ce863c51a2caf26ccea4d4a8fcd07d499f6e9f2ac652d3849f67f6

Download Submit
C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe

Filesize
375KB

MD5
4fe012a53f34f315e693ddf8a8a7cbb8

SHA1
dc38010ba1a416db24e69d745d5cbd5eec1192c5

SHA256
ae807360e83e978da8627e93811e1ca7d910ded177c1bb2f1387e11aef1bdf98

SHA512
f0a3bb9aedf1c7b3089fc6affa6ce0967c46762a783343cf1291500a339fd6d3807344bda0ce863c51a2caf26ccea4d4a8fcd07d499f6e9f2ac652d3849f67f6

Download Submit
C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe

Filesize
375KB

MD5
57c388c903ce127f1cbe47166604e241

SHA1
4dc9fe22b37038c66ba6a400ca506a600d25ca30

SHA256
4c377ff6430394f7dc0f21f2e33ea9ef9d7ee7b081f8a2f8caff3e04b9d49d26

SHA512
f09c39e62d2d5362864e0d7377e5941bb9deac8ca5fd4bedc9964f94afdcfee486678f8916a66149880c8be06e2a3c5bf028601f45cc6bee3be6f043983732a7

Download Submit
C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe

Filesize
375KB

MD5
57c388c903ce127f1cbe47166604e241

SHA1
4dc9fe22b37038c66ba6a400ca506a600d25ca30

SHA256
4c377ff6430394f7dc0f21f2e33ea9ef9d7ee7b081f8a2f8caff3e04b9d49d26

SHA512
f09c39e62d2d5362864e0d7377e5941bb9deac8ca5fd4bedc9964f94afdcfee486678f8916a66149880c8be06e2a3c5bf028601f45cc6bee3be6f043983732a7

Download Submit
C:\ProgramData\MqW1CWM0BqU6ni7f\Nj3PpiORsUHm.exe

Filesize
375KB

MD5
57c388c903ce127f1cbe47166604e241

SHA1
4dc9fe22b37038c66ba6a400ca506a600d25ca30

SHA256
4c377ff6430394f7dc0f21f2e33ea9ef9d7ee7b081f8a2f8caff3e04b9d49d26

SHA512
f09c39e62d2d5362864e0d7377e5941bb9deac8ca5fd4bedc9964f94afdcfee486678f8916a66149880c8be06e2a3c5bf028601f45cc6bee3be6f043983732a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aD2inCM1bO7.exe

Filesize
375KB

MD5
57c388c903ce127f1cbe47166604e241

SHA1
4dc9fe22b37038c66ba6a400ca506a600d25ca30

SHA256
4c377ff6430394f7dc0f21f2e33ea9ef9d7ee7b081f8a2f8caff3e04b9d49d26

SHA512
f09c39e62d2d5362864e0d7377e5941bb9deac8ca5fd4bedc9964f94afdcfee486678f8916a66149880c8be06e2a3c5bf028601f45cc6bee3be6f043983732a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aD2inCM1bO7.exe

Filesize
375KB

MD5
57c388c903ce127f1cbe47166604e241

SHA1
4dc9fe22b37038c66ba6a400ca506a600d25ca30

SHA256
4c377ff6430394f7dc0f21f2e33ea9ef9d7ee7b081f8a2f8caff3e04b9d49d26

SHA512
f09c39e62d2d5362864e0d7377e5941bb9deac8ca5fd4bedc9964f94afdcfee486678f8916a66149880c8be06e2a3c5bf028601f45cc6bee3be6f043983732a7

Download Submit
memory/1128-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1684-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1684-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4420-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4420-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing