ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324

General

Target

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe
Size

144KB
MD5

32f41981aa0383a8a68fd985cffa227b
SHA1

9fae6e76326ff17cb522703f2da64d4cefbf9efd
SHA256

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324
SHA512

f74c20ae72b4237f3fb7d4e8302af63a77cae17a50838226d0662e4cd15e3acca44365385312998a81c776d3b38b3818fc0525c4be33ca8b45fc5fdd00a5f567
SSDEEP

3072:9dCLKdYqFfGHAl5uN3+rS8de2z3KUeFbKi:cKd+Hm5ul++k3NeFO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

win24.exe

pid process

2028 win24.exe

pid	process
2028	win24.exe

Loads dropped DLL 2 IoCs

Processes:

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

pid	process
1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe
1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\runAPI28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI97.exe\""	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

description	pid	process	target process
PID 1352 set thread context of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe

description	pid	process	target process
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe
PID 1352 wrote to memory of 2028	1352	ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe	win24.exe

C:\Users\Admin\AppData\Local\Temp\ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe
"C:\Users\Admin\AppData\Local\Temp\ab3b1bc7711a4cf1b7805660325035843f551b04172b28270c6e0acb66a7b324.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\win24.exe
C:\Users\Admin\AppData\Local\Temp\win24.exe
2⤵
- Executes dropped EXE
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\win24.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Local\Temp\win24.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
\Users\Admin\AppData\Local\Temp\win24.exe

Filesize
4KB

MD5
5e5ecae8b08152c885904cde71c50dad

SHA1
727f24d102ab29be690c783ddc149b3a39430fb6

SHA256
b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541

SHA512
dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea

Download Submit
memory/1352-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1352-58-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-68-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-65-0x0000000000408D3E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads