9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4

General

Target

9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
Size

375KB
MD5

25a660f83de79eb1eeab82999fb81976
SHA1

1af5ac3e5597168585336157d5110b8d36e5423a
SHA256

9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4
SHA512

3caf33f4e54014016a4f9fd940de54ac0b7a9d487935febf89fc2915c971053816490d345ee07c66fa47aa49a06c0d8fe3e16f391ab0afdfb7f2e8c16546c8c9
SSDEEP

6144:8Uvbx4PkcOz6JmNmxT+hbNNpZZT8AVZzuPChJ:pu8OJm4+h/Z46NJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3884	W2pBaLU6wdM2FLkn.exe
3496	W2pBaLU6wdM2FLkn.exe

Loads dropped DLL 4 IoCs

pid	Process
5100	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
5100	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
3496	W2pBaLU6wdM2FLkn.exe
3496	W2pBaLU6wdM2FLkn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WWZ3QhaIHgMxB = "C:\\ProgramData\\jGrCaAfGzA\\W2pBaLU6wdM2FLkn.exe"	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 3884 set thread context of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3496 set thread context of 3800	3496	W2pBaLU6wdM2FLkn.exe	97

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 4424 wrote to memory of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 4424 wrote to memory of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 4424 wrote to memory of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 4424 wrote to memory of 5100	4424	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	86
PID 5100 wrote to memory of 3884	5100	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	87
PID 5100 wrote to memory of 3884	5100	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	87
PID 5100 wrote to memory of 3884	5100	9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe	87
PID 3884 wrote to memory of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3884 wrote to memory of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3884 wrote to memory of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3884 wrote to memory of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3884 wrote to memory of 3496	3884	W2pBaLU6wdM2FLkn.exe	88
PID 3496 wrote to memory of 3800	3496	W2pBaLU6wdM2FLkn.exe	97
PID 3496 wrote to memory of 3800	3496	W2pBaLU6wdM2FLkn.exe	97
PID 3496 wrote to memory of 3800	3496	W2pBaLU6wdM2FLkn.exe	97
PID 3496 wrote to memory of 3800	3496	W2pBaLU6wdM2FLkn.exe	97
PID 3496 wrote to memory of 3800	3496	W2pBaLU6wdM2FLkn.exe	97

C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
"C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe
  "C:\Users\Admin\AppData\Local\Temp\9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe
    "C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe
      "C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /i:3496
        5⤵
        
        PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe

Filesize
375KB

MD5
25a660f83de79eb1eeab82999fb81976

SHA1
1af5ac3e5597168585336157d5110b8d36e5423a

SHA256
9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4

SHA512
3caf33f4e54014016a4f9fd940de54ac0b7a9d487935febf89fc2915c971053816490d345ee07c66fa47aa49a06c0d8fe3e16f391ab0afdfb7f2e8c16546c8c9

Download Submit
C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe

Filesize
375KB

MD5
25a660f83de79eb1eeab82999fb81976

SHA1
1af5ac3e5597168585336157d5110b8d36e5423a

SHA256
9dba29bc5456edd1bd99a60c1006aff1466d24016a120653d7b505939559aec4

SHA512
3caf33f4e54014016a4f9fd940de54ac0b7a9d487935febf89fc2915c971053816490d345ee07c66fa47aa49a06c0d8fe3e16f391ab0afdfb7f2e8c16546c8c9

Download Submit
C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe

Filesize
375KB

MD5
700cea985a1c0cb178ce93c68d893714

SHA1
7e925fd2da5a5463aa86cd459ffadbdd8d5eec9b

SHA256
faea8a848fcc6b93b36bea5bea1ac7fab2b59fe5483bbb8e7e7bb26d6e72d608

SHA512
eb7e5f154bef6694c87005ba19e9cdea6b0fe6a3573263753852f961375062387074c1d2873329492ae974a5cef59f22182dcb661601c7fcbf310e99b8271805

Download Submit
C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe

Filesize
375KB

MD5
700cea985a1c0cb178ce93c68d893714

SHA1
7e925fd2da5a5463aa86cd459ffadbdd8d5eec9b

SHA256
faea8a848fcc6b93b36bea5bea1ac7fab2b59fe5483bbb8e7e7bb26d6e72d608

SHA512
eb7e5f154bef6694c87005ba19e9cdea6b0fe6a3573263753852f961375062387074c1d2873329492ae974a5cef59f22182dcb661601c7fcbf310e99b8271805

Download Submit
C:\ProgramData\jGrCaAfGzA\W2pBaLU6wdM2FLkn.exe

Filesize
375KB

MD5
700cea985a1c0cb178ce93c68d893714

SHA1
7e925fd2da5a5463aa86cd459ffadbdd8d5eec9b

SHA256
faea8a848fcc6b93b36bea5bea1ac7fab2b59fe5483bbb8e7e7bb26d6e72d608

SHA512
eb7e5f154bef6694c87005ba19e9cdea6b0fe6a3573263753852f961375062387074c1d2873329492ae974a5cef59f22182dcb661601c7fcbf310e99b8271805

Download Submit
C:\Users\Admin\AppData\Local\Temp\197STOnDEfM.exe

Filesize
375KB

MD5
700cea985a1c0cb178ce93c68d893714

SHA1
7e925fd2da5a5463aa86cd459ffadbdd8d5eec9b

SHA256
faea8a848fcc6b93b36bea5bea1ac7fab2b59fe5483bbb8e7e7bb26d6e72d608

SHA512
eb7e5f154bef6694c87005ba19e9cdea6b0fe6a3573263753852f961375062387074c1d2873329492ae974a5cef59f22182dcb661601c7fcbf310e99b8271805

Download Submit
C:\Users\Admin\AppData\Local\Temp\197STOnDEfM.exe

Filesize
375KB

MD5
700cea985a1c0cb178ce93c68d893714

SHA1
7e925fd2da5a5463aa86cd459ffadbdd8d5eec9b

SHA256
faea8a848fcc6b93b36bea5bea1ac7fab2b59fe5483bbb8e7e7bb26d6e72d608

SHA512
eb7e5f154bef6694c87005ba19e9cdea6b0fe6a3573263753852f961375062387074c1d2873329492ae974a5cef59f22182dcb661601c7fcbf310e99b8271805

Download Submit
memory/3496-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3496-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3496-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3800-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing