6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a

General

Target

6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
Size

336KB
MD5

4db63070962478128495071dee3ce1d6
SHA1

cc7d11becaf292032c22663a0647e1bb897133de
SHA256

6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a
SHA512

38730978ae68b4bd221cd9de415eddf37ef0e99a77d3b10258f625ecbb918fa5a7191b5bc10f48bd219731a89a7fe99a8a9fd873f5e31ccaf344ad78f8fb1e39
SSDEEP

6144:3IwfiY18uqrjJTnBFXpEUi7u46NrEZideXyW63F:3d1PqnFB/i7u4orEUdeiW63F

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3516	bQDMxC2u8TI.exe
1008	bQDMxC2u8TI.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
2976	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
1008	bQDMxC2u8TI.exe
1008	bQDMxC2u8TI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63Rjrk3yO9to3Hd = "C:\\ProgramData\\sveCR6GREg\\bQDMxC2u8TI.exe"	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 3516 set thread context of 1008	3516	bQDMxC2u8TI.exe	85
PID 1008 set thread context of 3756	1008	bQDMxC2u8TI.exe	87

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 5036 wrote to memory of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 5036 wrote to memory of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 5036 wrote to memory of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 5036 wrote to memory of 2976	5036	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	81
PID 2976 wrote to memory of 3516	2976	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	82
PID 2976 wrote to memory of 3516	2976	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	82
PID 2976 wrote to memory of 3516	2976	6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe	82
PID 3516 wrote to memory of 1008	3516	bQDMxC2u8TI.exe	85
PID 3516 wrote to memory of 1008	3516	bQDMxC2u8TI.exe	85
PID 3516 wrote to memory of 1008	3516	bQDMxC2u8TI.exe	85
PID 3516 wrote to memory of 1008	3516	bQDMxC2u8TI.exe	85
PID 3516 wrote to memory of 1008	3516	bQDMxC2u8TI.exe	85
PID 1008 wrote to memory of 3756	1008	bQDMxC2u8TI.exe	87
PID 1008 wrote to memory of 3756	1008	bQDMxC2u8TI.exe	87
PID 1008 wrote to memory of 3756	1008	bQDMxC2u8TI.exe	87
PID 1008 wrote to memory of 3756	1008	bQDMxC2u8TI.exe	87
PID 1008 wrote to memory of 3756	1008	bQDMxC2u8TI.exe	87

C:\Users\Admin\AppData\Local\Temp\6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
"C:\Users\Admin\AppData\Local\Temp\6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe
  "C:\Users\Admin\AppData\Local\Temp\6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe
    "C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe
      "C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1008
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /i:1008
        5⤵
        
        PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe

Filesize
336KB

MD5
2e8b1e27e774fbbb9552e922000eb13b

SHA1
61f50dc9e65de0ea6e8f60c7a09d7057041819ee

SHA256
94388e96f68cd383730f73a4b2f463b019701ff8326cc08ffdf3e229efa22537

SHA512
8038beef5da28279343be1681a8caf65262ae10efd05d77c568b8cfa2c046eabcb38e35b3a014f109a016992bb466caa4fa373d4f1742242eb10150e0deaae5b

Download Submit
C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe

Filesize
336KB

MD5
2e8b1e27e774fbbb9552e922000eb13b

SHA1
61f50dc9e65de0ea6e8f60c7a09d7057041819ee

SHA256
94388e96f68cd383730f73a4b2f463b019701ff8326cc08ffdf3e229efa22537

SHA512
8038beef5da28279343be1681a8caf65262ae10efd05d77c568b8cfa2c046eabcb38e35b3a014f109a016992bb466caa4fa373d4f1742242eb10150e0deaae5b

Download Submit
C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe

Filesize
336KB

MD5
2e8b1e27e774fbbb9552e922000eb13b

SHA1
61f50dc9e65de0ea6e8f60c7a09d7057041819ee

SHA256
94388e96f68cd383730f73a4b2f463b019701ff8326cc08ffdf3e229efa22537

SHA512
8038beef5da28279343be1681a8caf65262ae10efd05d77c568b8cfa2c046eabcb38e35b3a014f109a016992bb466caa4fa373d4f1742242eb10150e0deaae5b

Download Submit
C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe

Filesize
336KB

MD5
4db63070962478128495071dee3ce1d6

SHA1
cc7d11becaf292032c22663a0647e1bb897133de

SHA256
6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a

SHA512
38730978ae68b4bd221cd9de415eddf37ef0e99a77d3b10258f625ecbb918fa5a7191b5bc10f48bd219731a89a7fe99a8a9fd873f5e31ccaf344ad78f8fb1e39

Download Submit
C:\ProgramData\sveCR6GREg\bQDMxC2u8TI.exe

Filesize
336KB

MD5
4db63070962478128495071dee3ce1d6

SHA1
cc7d11becaf292032c22663a0647e1bb897133de

SHA256
6af7df4f8250b9910aa139a2b27a93a4cdf332df8b19f96c42f2d88d84c0a97a

SHA512
38730978ae68b4bd221cd9de415eddf37ef0e99a77d3b10258f625ecbb918fa5a7191b5bc10f48bd219731a89a7fe99a8a9fd873f5e31ccaf344ad78f8fb1e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIhELq6leNN.exe

Filesize
336KB

MD5
2e8b1e27e774fbbb9552e922000eb13b

SHA1
61f50dc9e65de0ea6e8f60c7a09d7057041819ee

SHA256
94388e96f68cd383730f73a4b2f463b019701ff8326cc08ffdf3e229efa22537

SHA512
8038beef5da28279343be1681a8caf65262ae10efd05d77c568b8cfa2c046eabcb38e35b3a014f109a016992bb466caa4fa373d4f1742242eb10150e0deaae5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIhELq6leNN.exe

Filesize
336KB

MD5
2e8b1e27e774fbbb9552e922000eb13b

SHA1
61f50dc9e65de0ea6e8f60c7a09d7057041819ee

SHA256
94388e96f68cd383730f73a4b2f463b019701ff8326cc08ffdf3e229efa22537

SHA512
8038beef5da28279343be1681a8caf65262ae10efd05d77c568b8cfa2c046eabcb38e35b3a014f109a016992bb466caa4fa373d4f1742242eb10150e0deaae5b

Download Submit
memory/1008-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1008-155-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2976-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3756-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3756-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing