730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e

General

Target

730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
Size

454KB
MD5

4ed3ce2511f5c6aa47e9d24add6bed61
SHA1

7ad0e32073ae935a26a7f2619581a5c0295a6ddb
SHA256

730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e
SHA512

8a056eec53346ad45b48eea2c9349f821aa0cb692d79772f14270a30d21b9fa18fdffedace436be70d21e658017d057810e954561b79ffef9ac72b9f204fb531
SSDEEP

6144:o2Kgo6ZWWeT0v1hX9ExB7xAybCBxm6Dn9zonpOiqHZOGMu6wEe3:o96ZWWx237+ybGNonppyZOGMRwEe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1492	gxqL4BeCpSIde9L.exe
1476	gxqL4BeCpSIde9L.exe

Deletes itself 1 IoCs

pid	Process
1476	gxqL4BeCpSIde9L.exe

Loads dropped DLL 4 IoCs

pid	Process
1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
1476	gxqL4BeCpSIde9L.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\KKAUUnnEg64j = "C:\\ProgramData\\X22fKG6262uF\\gxqL4BeCpSIde9L.exe"	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1492 set thread context of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1476 set thread context of 668	1476	gxqL4BeCpSIde9L.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1668 wrote to memory of 1520	1668	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	28
PID 1520 wrote to memory of 1492	1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	29
PID 1520 wrote to memory of 1492	1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	29
PID 1520 wrote to memory of 1492	1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	29
PID 1520 wrote to memory of 1492	1520	730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe	29
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1492 wrote to memory of 1476	1492	gxqL4BeCpSIde9L.exe	30
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31
PID 1476 wrote to memory of 668	1476	gxqL4BeCpSIde9L.exe	31

C:\Users\Admin\AppData\Local\Temp\730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
"C:\Users\Admin\AppData\Local\Temp\730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe
  "C:\Users\Admin\AppData\Local\Temp\730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe
    "C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe
      "C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe" /i:1476
        5⤵
        
        PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
C:\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
\ProgramData\X22fKG6262uF\gxqL4BeCpSIde9L.exe

Filesize
454KB

MD5
4ed3ce2511f5c6aa47e9d24add6bed61

SHA1
7ad0e32073ae935a26a7f2619581a5c0295a6ddb

SHA256
730243200dcf1c2bb4af6de8cc6714ec18e0953552558ab2f16f9f5333d10a7e

SHA512
8a056eec53346ad45b48eea2c9349f821aa0cb692d79772f14270a30d21b9fa18fdffedace436be70d21e658017d057810e954561b79ffef9ac72b9f204fb531

Download Submit
\Users\Admin\AppData\Local\Temp\TYYZJhHxV40oJgx.exe

Filesize
454KB

MD5
09fa8644317eae8fee28ac27ee5fcf2a

SHA1
df8fde3c42faf064bc0d92b4886ea4691a667102

SHA256
9db9136916040923fcb7a698f36395eba7f3f6e8b7a47b00459d9fdaa63851d0

SHA512
7faaa901f0ff26586a0bb04b3028e8a62cc151a6a18dbe4441db28885aa649c0ff0aff29b79b3b6c89e1c400b4c5b211584aa0d94db3ce8b10eba58264d1dc33

Download Submit
memory/668-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1476-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1476-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1476-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing