9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4

General

Target

9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
Size

375KB
MD5

25a660f83de79eb1eeab82999fb81976
SHA1

1af5ac3e5597168585336157d5110b8d36e5423a
SHA256

9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4
SHA512

3caf33f4e54014016a4f9fd940de54ac0b7a9d487935febf89fc2915c971053816490d345ee07c66fa47aa49a06c0d8fe3e16f391ab0afdfb7f2e8c16546c8c9
SSDEEP

6144:8Uvbx4PkcOz6JmNmxT+hbNNpZZT8AVZzuPChJ:pu8OJm4+h/Z46NJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
772	rIwc8hVM.exe
908	rIwc8hVM.exe

Deletes itself 1 IoCs

pid	Process
908	rIwc8hVM.exe

Loads dropped DLL 4 IoCs

pid	Process
668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
908	rIwc8hVM.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xnS2fNnq2VRzS5 = "C:\\ProgramData\\gBqJha4m\\rIwc8hVM.exe"	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 772 set thread context of 908	772	rIwc8hVM.exe	30
PID 908 set thread context of 1804	908	rIwc8hVM.exe	31

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 1500 wrote to memory of 668	1500	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	28
PID 668 wrote to memory of 772	668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	29
PID 668 wrote to memory of 772	668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	29
PID 668 wrote to memory of 772	668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	29
PID 668 wrote to memory of 772	668	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	29
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 772 wrote to memory of 908	772	rIwc8hVM.exe	30
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31
PID 908 wrote to memory of 1804	908	rIwc8hVM.exe	31

C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
"C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
  "C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\ProgramData\gBqJha4m\rIwc8hVM.exe
    "C:\ProgramData\gBqJha4m\rIwc8hVM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\ProgramData\gBqJha4m\rIwc8hVM.exe
      "C:\ProgramData\gBqJha4m\rIwc8hVM.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /i:908
        5⤵
        
        PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
C:\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
C:\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
\ProgramData\gBqJha4m\rIwc8hVM.exe

Filesize
375KB

MD5
25a660f83de79eb1eeab82999fb81976

SHA1
1af5ac3e5597168585336157d5110b8d36e5423a

SHA256
9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4

SHA512
3caf33f4e54014016a4f9fd940de54ac0b7a9d487935febf89fc2915c971053816490d345ee07c66fa47aa49a06c0d8fe3e16f391ab0afdfb7f2e8c16546c8c9

Download Submit
\Users\Admin\AppData\Local\Temp\LpfpkeoDqswNGVB.exe

Filesize
375KB

MD5
90025da0fee6d52952339f10bf955c56

SHA1
0faf78857ed03e7dda154be2ebec66f8271aab34

SHA256
e03dbd4899b01a6eb1942ad066a0fd8206655bb1caeb73f9ab4121a9abf7c3a9

SHA512
473697eeef65394eeeaa34a78d3c9177314e0a5a8ebd9ac46475cca7885730cb7111d002c1d990ea78081d692f37bd4a4ad50b254775a43fde35ed8cd6a0fc88

Download Submit
memory/668-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/908-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/908-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1804-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing