60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0

General

Target

60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
Size

1.2MB
MD5

aefe8cf68c67edba7a03241ae9398943
SHA1

aed07207f214ae335e389baa5daca99fdf9d4e04
SHA256

60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0
SHA512

4c9f4cc7cb283b394674e300d6a746eee2a9dde66686605b3c103128585879b525d515c09eeb336e805bfe54ff2f78972ab39c74f30ef32293198641d1ea3b55
SSDEEP

12288:wBv7uOLX0KrNe6gtU4fujB8AJIzXwDdkQPhI5ht0KsAWNkIk3qzv13tv:7eZrNt4fujjJYXReKgTk93kv13V

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1764	iuuxOcNRzBT.exe
1620	iuuxOcNRzBT.exe

Deletes itself 1 IoCs

pid	Process
1620	iuuxOcNRzBT.exe

Loads dropped DLL 4 IoCs

pid	Process
680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
1620	iuuxOcNRzBT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\395p5Um3a = "C:\\ProgramData\\xXgTOHkim\\iuuxOcNRzBT.exe"	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 596 set thread context of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 1764 set thread context of 1620	1764	iuuxOcNRzBT.exe	30
PID 1620 set thread context of 1752	1620	iuuxOcNRzBT.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 596 wrote to memory of 680	596	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	28
PID 680 wrote to memory of 1764	680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	29
PID 680 wrote to memory of 1764	680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	29
PID 680 wrote to memory of 1764	680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	29
PID 680 wrote to memory of 1764	680	60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe	29
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1764 wrote to memory of 1620	1764	iuuxOcNRzBT.exe	30
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31
PID 1620 wrote to memory of 1752	1620	iuuxOcNRzBT.exe	31

C:\Users\Admin\AppData\Local\Temp\60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
"C:\Users\Admin\AppData\Local\Temp\60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Local\Temp\60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe
  "C:\Users\Admin\AppData\Local\Temp\60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe
    "C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe
      "C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" /i:1620
        5⤵
        
        PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
C:\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
\ProgramData\xXgTOHkim\iuuxOcNRzBT.exe

Filesize
1.2MB

MD5
aefe8cf68c67edba7a03241ae9398943

SHA1
aed07207f214ae335e389baa5daca99fdf9d4e04

SHA256
60531f1b619b8d7c75cfc86e3deed8a2336b1c3448bb5b9e09a6aba1c3fd23f0

SHA512
4c9f4cc7cb283b394674e300d6a746eee2a9dde66686605b3c103128585879b525d515c09eeb336e805bfe54ff2f78972ab39c74f30ef32293198641d1ea3b55

Download Submit
\Users\Admin\AppData\Local\Temp\Yo1SJYyVfJotPu1Y.exe

Filesize
1.2MB

MD5
7426da65ec7f95f0f9d2123a6c7f6782

SHA1
2dc8641ddb25178e9b0b34ec9a5ceb364a30db79

SHA256
07389bb66c1dea00848e212312b223b5627f2bd484ac0b3754ba103777c0bc9e

SHA512
f877d443df0baf002f61b19e96cc8d8220890aed84ba3bfc16922d2a4bbc1dc173999f97ddebb112c81875a9f39f6f2e622cb0be1fc57e8decdf007f3054b923

Download Submit
memory/596-54-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/680-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-68-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1620-78-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1620-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1620-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1752-88-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing