91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c

General

Target

91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
Size

411KB
MD5

5e0a2d63cea7b82a5ceff00165a1bae0
SHA1

f04205570d7175ad3fc61d4165375373b9dc5fc7
SHA256

91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c
SHA512

5bc0e5ad629e20e042e9d7fd1658fe7f558d00c3068acd3ccd56ceebf9eb356cef2ca0b7cad4fe69c018c6aa73618a86909e56a31dd6bea57c370ddc361e8324
SSDEEP

6144:9GK72pGPiE1aVtXTTHhWs4bWADaevZ+zDSv67kYoWI8:9pTDcV7Wfb3jAG679oh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1608	yF40cOzDOJAGsh.exe
1532	yF40cOzDOJAGsh.exe

Deletes itself 1 IoCs

pid	Process
1532	yF40cOzDOJAGsh.exe

Loads dropped DLL 4 IoCs

pid	Process
2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
1532	yF40cOzDOJAGsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\m3CBVgJ3b = "C:\\ProgramData\\PbsIEgSgEaH\\yF40cOzDOJAGsh.exe"	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1608 set thread context of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1532 set thread context of 624	1532	yF40cOzDOJAGsh.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 1896 wrote to memory of 2044	1896	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	27
PID 2044 wrote to memory of 1608	2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	28
PID 2044 wrote to memory of 1608	2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	28
PID 2044 wrote to memory of 1608	2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	28
PID 2044 wrote to memory of 1608	2044	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	28
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1608 wrote to memory of 1532	1608	yF40cOzDOJAGsh.exe	29
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30
PID 1532 wrote to memory of 624	1532	yF40cOzDOJAGsh.exe	30

C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
"C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
  "C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe
    "C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe
      "C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Program Files (x86)\Internet Explorer\ExtExport.exe
        
        "C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:1532
        5⤵
        
        PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
C:\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
\ProgramData\PbsIEgSgEaH\yF40cOzDOJAGsh.exe

Filesize
411KB

MD5
5e0a2d63cea7b82a5ceff00165a1bae0

SHA1
f04205570d7175ad3fc61d4165375373b9dc5fc7

SHA256
91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c

SHA512
5bc0e5ad629e20e042e9d7fd1658fe7f558d00c3068acd3ccd56ceebf9eb356cef2ca0b7cad4fe69c018c6aa73618a86909e56a31dd6bea57c370ddc361e8324

Download Submit
\Users\Admin\AppData\Local\Temp\wUS0rY8eSh.exe

Filesize
411KB

MD5
202c7aad7d7ae54c26c5e7e1cd6e5b5c

SHA1
d3527d5d6636eda6224d797ef8ca9ed1b84babe0

SHA256
57b04c1468ce8df6595e401b00d5a530cccd9580fcb527a8e40a96233a1ec692

SHA512
653a1616b10977313bbb9f9cb9dabd433557c49ba380d9eefd5503d4a3eeade1de65224109ba32a675dbd0640f300518816d87e513b735eafa8ecdc0683ebdc5

Download Submit
memory/624-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/624-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1532-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1532-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing