91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c

General

Target

91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
Size

411KB
MD5

5e0a2d63cea7b82a5ceff00165a1bae0
SHA1

f04205570d7175ad3fc61d4165375373b9dc5fc7
SHA256

91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c
SHA512

5bc0e5ad629e20e042e9d7fd1658fe7f558d00c3068acd3ccd56ceebf9eb356cef2ca0b7cad4fe69c018c6aa73618a86909e56a31dd6bea57c370ddc361e8324
SSDEEP

6144:9GK72pGPiE1aVtXTTHhWs4bWADaevZ+zDSv67kYoWI8:9pTDcV7Wfb3jAG679oh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3588	YtlCNH0y9.exe
3172	YtlCNH0y9.exe

Loads dropped DLL 4 IoCs

pid	Process
3144	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
3144	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
3172	YtlCNH0y9.exe
3172	YtlCNH0y9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B8xBhrrEhW = "C:\\ProgramData\\UYBJdZ6K8eOX\\YtlCNH0y9.exe"	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3332 set thread context of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3588 set thread context of 3172	3588	YtlCNH0y9.exe	86
PID 3172 set thread context of 1740	3172	YtlCNH0y9.exe	91

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3332 wrote to memory of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3332 wrote to memory of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3332 wrote to memory of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3332 wrote to memory of 3144	3332	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	82
PID 3144 wrote to memory of 3588	3144	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	85
PID 3144 wrote to memory of 3588	3144	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	85
PID 3144 wrote to memory of 3588	3144	91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe	85
PID 3588 wrote to memory of 3172	3588	YtlCNH0y9.exe	86
PID 3588 wrote to memory of 3172	3588	YtlCNH0y9.exe	86
PID 3588 wrote to memory of 3172	3588	YtlCNH0y9.exe	86
PID 3588 wrote to memory of 3172	3588	YtlCNH0y9.exe	86
PID 3588 wrote to memory of 3172	3588	YtlCNH0y9.exe	86
PID 3172 wrote to memory of 3672	3172	YtlCNH0y9.exe	88
PID 3172 wrote to memory of 3672	3172	YtlCNH0y9.exe	88
PID 3172 wrote to memory of 3672	3172	YtlCNH0y9.exe	88
PID 3172 wrote to memory of 1740	3172	YtlCNH0y9.exe	91
PID 3172 wrote to memory of 1740	3172	YtlCNH0y9.exe	91
PID 3172 wrote to memory of 1740	3172	YtlCNH0y9.exe	91
PID 3172 wrote to memory of 1740	3172	YtlCNH0y9.exe	91
PID 3172 wrote to memory of 1740	3172	YtlCNH0y9.exe	91

C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
"C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe
  "C:\Users\Admin\AppData\Local\Temp\91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe
    "C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe
      "C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3172
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.169.31\MicrosoftEdgeUpdate.exe" /i:3172
        5⤵
        
        PID:3672
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /i:3172
        5⤵
        
        PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe

Filesize
411KB

MD5
5e0a2d63cea7b82a5ceff00165a1bae0

SHA1
f04205570d7175ad3fc61d4165375373b9dc5fc7

SHA256
91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c

SHA512
5bc0e5ad629e20e042e9d7fd1658fe7f558d00c3068acd3ccd56ceebf9eb356cef2ca0b7cad4fe69c018c6aa73618a86909e56a31dd6bea57c370ddc361e8324

Download Submit
C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe

Filesize
411KB

MD5
5e0a2d63cea7b82a5ceff00165a1bae0

SHA1
f04205570d7175ad3fc61d4165375373b9dc5fc7

SHA256
91bea176172a4b78febc5eb65f86e9478eb7a4ae1dc8d29769896e027010d20c

SHA512
5bc0e5ad629e20e042e9d7fd1658fe7f558d00c3068acd3ccd56ceebf9eb356cef2ca0b7cad4fe69c018c6aa73618a86909e56a31dd6bea57c370ddc361e8324

Download Submit
C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe

Filesize
411KB

MD5
06ef04ff85c6addd4f598f39a26a79a1

SHA1
3217260187e815f54e0ca31912dce14cf2f9110b

SHA256
8c3232f96053c7601ee539e8ee3fa72fd448aa83a26dc954a1bc0f670160a2c4

SHA512
8e7fabd7260428e3030a4389a50170fe409f3000b588c82df28b5ba4d2cb208105836cf533ae01ace4ad3c4a4198cadd4c41d227d4e8e4d5765f163be3ac7975

Download Submit
C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe

Filesize
411KB

MD5
06ef04ff85c6addd4f598f39a26a79a1

SHA1
3217260187e815f54e0ca31912dce14cf2f9110b

SHA256
8c3232f96053c7601ee539e8ee3fa72fd448aa83a26dc954a1bc0f670160a2c4

SHA512
8e7fabd7260428e3030a4389a50170fe409f3000b588c82df28b5ba4d2cb208105836cf533ae01ace4ad3c4a4198cadd4c41d227d4e8e4d5765f163be3ac7975

Download Submit
C:\ProgramData\UYBJdZ6K8eOX\YtlCNH0y9.exe

Filesize
411KB

MD5
06ef04ff85c6addd4f598f39a26a79a1

SHA1
3217260187e815f54e0ca31912dce14cf2f9110b

SHA256
8c3232f96053c7601ee539e8ee3fa72fd448aa83a26dc954a1bc0f670160a2c4

SHA512
8e7fabd7260428e3030a4389a50170fe409f3000b588c82df28b5ba4d2cb208105836cf533ae01ace4ad3c4a4198cadd4c41d227d4e8e4d5765f163be3ac7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\AxG32QwcMT0.exe

Filesize
411KB

MD5
06ef04ff85c6addd4f598f39a26a79a1

SHA1
3217260187e815f54e0ca31912dce14cf2f9110b

SHA256
8c3232f96053c7601ee539e8ee3fa72fd448aa83a26dc954a1bc0f670160a2c4

SHA512
8e7fabd7260428e3030a4389a50170fe409f3000b588c82df28b5ba4d2cb208105836cf533ae01ace4ad3c4a4198cadd4c41d227d4e8e4d5765f163be3ac7975

Download Submit
C:\Users\Admin\AppData\Local\Temp\AxG32QwcMT0.exe

Filesize
411KB

MD5
06ef04ff85c6addd4f598f39a26a79a1

SHA1
3217260187e815f54e0ca31912dce14cf2f9110b

SHA256
8c3232f96053c7601ee539e8ee3fa72fd448aa83a26dc954a1bc0f670160a2c4

SHA512
8e7fabd7260428e3030a4389a50170fe409f3000b588c82df28b5ba4d2cb208105836cf533ae01ace4ad3c4a4198cadd4c41d227d4e8e4d5765f163be3ac7975

Download Submit
memory/1740-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3144-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3144-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3144-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3144-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3144-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3172-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3172-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3172-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing