804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3

General

Target

804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
Size

93KB
MD5

eed25ae37942fe12fc981abd036b7018
SHA1

576dc47e9fc78e0b9a4254f6b292d0ca0509e2ae
SHA256

804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3
SHA512

3d05d1a7c08be2bb38e7375e6ba0b8455177f93943e874c7ca0434f22c7081472c365e958c92d6babf618eeed38b10813389da11a6d0450e77d99683ad51f9ec
SSDEEP

1536:Na0sbCi+sH4cyozX/wBXI7OVzPHCNI41vK/n4VSEVXJS8x42DWlUH:Na0AJHX/wWCBiCSvK/4VSe5O2DWlI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2204	update.exe
4544	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "update.exe"	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 2204 set thread context of 4544	2204	update.exe	84

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\update.exe	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
File created	C:\Windows\update.exe	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 4984 wrote to memory of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 4984 wrote to memory of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 4984 wrote to memory of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 4984 wrote to memory of 4944	4984	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	82
PID 4944 wrote to memory of 2204	4944	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	83
PID 4944 wrote to memory of 2204	4944	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	83
PID 4944 wrote to memory of 2204	4944	804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe	83
PID 2204 wrote to memory of 4544	2204	update.exe	84
PID 2204 wrote to memory of 4544	2204	update.exe	84
PID 2204 wrote to memory of 4544	2204	update.exe	84
PID 2204 wrote to memory of 4544	2204	update.exe	84
PID 2204 wrote to memory of 4544	2204	update.exe	84

C:\Users\Admin\AppData\Local\Temp\804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
"C:\Users\Admin\AppData\Local\Temp\804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
  C:\Users\Admin\AppData\Local\Temp\804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\update.exe
    "C:\Windows\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\update.exe
      C:\Windows\update.exe
      4⤵
      Executes dropped EXE
      PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\update.exe

Filesize
93KB

MD5
eed25ae37942fe12fc981abd036b7018

SHA1
576dc47e9fc78e0b9a4254f6b292d0ca0509e2ae

SHA256
804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3

SHA512
3d05d1a7c08be2bb38e7375e6ba0b8455177f93943e874c7ca0434f22c7081472c365e958c92d6babf618eeed38b10813389da11a6d0450e77d99683ad51f9ec

Download Submit
C:\Windows\update.exe

Filesize
93KB

MD5
eed25ae37942fe12fc981abd036b7018

SHA1
576dc47e9fc78e0b9a4254f6b292d0ca0509e2ae

SHA256
804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3

SHA512
3d05d1a7c08be2bb38e7375e6ba0b8455177f93943e874c7ca0434f22c7081472c365e958c92d6babf618eeed38b10813389da11a6d0450e77d99683ad51f9ec

Download Submit
C:\Windows\update.exe

Filesize
93KB

MD5
eed25ae37942fe12fc981abd036b7018

SHA1
576dc47e9fc78e0b9a4254f6b292d0ca0509e2ae

SHA256
804d63a3c1894de2ec39a39bfbeccc36477ff7ff34e9c0cddf7d508656098dd3

SHA512
3d05d1a7c08be2bb38e7375e6ba0b8455177f93943e874c7ca0434f22c7081472c365e958c92d6babf618eeed38b10813389da11a6d0450e77d99683ad51f9ec

Download Submit
memory/2204-152-0x0000000000010000-0x0000000000044000-memory.dmp

Filesize
208KB

Download
memory/4544-155-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4544-156-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4944-139-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4944-140-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4944-141-0x0000000000010000-0x0000000000044000-memory.dmp

Filesize
208KB

Download
memory/4944-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4944-154-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4984-137-0x0000000000010000-0x0000000000044000-memory.dmp

Filesize
208KB

Download
memory/4984-132-0x0000000000010000-0x0000000000044000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing