a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

General

Target

a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Size

164KB
MD5

16217888a5b9d3c1d118cc0ae0ea2e00
SHA1

5b2618b99d256e35c87cbffa81dfbb3f54ded978
SHA256

a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe
SHA512

9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1
SSDEEP

1536:oz3McnjKk9gil9Lo/wjkHKQASMdzJaGAfXuUVjbzbL/:WJrdcwQHVAS4zRaXuQvf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
844	services105.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services105.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services105.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Adobe Reader Speed Launcher = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\services105.exe"	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1184 wrote to memory of 1956	1184	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	26
PID 1956 wrote to memory of 844	1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	27
PID 1956 wrote to memory of 844	1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	27
PID 1956 wrote to memory of 844	1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	27
PID 1956 wrote to memory of 844	1956	a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe	27

C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
"C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe
  "C:\Users\Admin\AppData\Local\Temp\a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies WinLogon
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\services105.exe
    -n
    3⤵
    - Executes dropped EXE
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\services105.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\services105.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\services105.exe

Filesize
164KB

MD5
16217888a5b9d3c1d118cc0ae0ea2e00

SHA1
5b2618b99d256e35c87cbffa81dfbb3f54ded978

SHA256
a8a463a7efb17849ae3a8ba0b3a9652ecc0bf8977a16ca1b6dc0ca1aa077c1fe

SHA512
9dbea0f98d0ff7fdfb5cce6720adec1b85ab16f58881dfb5a79f6784b4392a1a1caaf371311f617cf2076806dc5bef89eeade2527865e1505f63abb4a6f6cfd1

Download Submit
memory/844-77-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1184-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1184-55-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1956-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-57-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1956-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads