66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff

General

Target

66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
Size

375KB
MD5

8378b2f4882a9b61e019940785026797
SHA1

c2f3f68f5749fd1a82de626e2f07d15ba73ba200
SHA256

66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff
SHA512

c91903880e4b48f30060a3eccad8db7b53c8751750d4929c0829183c3b35fbe20e8dd0536fae9d141429d37f17067d56387f40ea55e4db3f2c4e3f808c9fa1a3
SSDEEP

6144:8Uvbxx27D7qzfe0gz/+PDQ6sNkJjBbTLbF58CVT2w:p+7n0feL/+Po29BbnbF5d9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1236	dtTKd4MG.exe
1336	dtTKd4MG.exe

Deletes itself 1 IoCs

pid	Process
1336	dtTKd4MG.exe

Loads dropped DLL 4 IoCs

pid	Process
1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
1336	dtTKd4MG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeDCrG0cJZoJEtFI = "C:\\ProgramData\\ADqWYzDdIG0zm3Lj\\dtTKd4MG.exe"	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 1236 set thread context of 1336	1236	dtTKd4MG.exe	29
PID 1336 set thread context of 1156	1336	dtTKd4MG.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 864 wrote to memory of 1076	864	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	27
PID 1076 wrote to memory of 1236	1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	28
PID 1076 wrote to memory of 1236	1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	28
PID 1076 wrote to memory of 1236	1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	28
PID 1076 wrote to memory of 1236	1076	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	28
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1236 wrote to memory of 1336	1236	dtTKd4MG.exe	29
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30
PID 1336 wrote to memory of 1156	1336	dtTKd4MG.exe	30

C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
"C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
  "C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe
    "C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe
      "C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Program Files (x86)\Windows Media Player\WMPDMC.exe
        
        "C:\Program Files (x86)\Windows Media Player\WMPDMC.exe" /i:1336
        5⤵
        
        PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
C:\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
\ProgramData\ADqWYzDdIG0zm3Lj\dtTKd4MG.exe

Filesize
375KB

MD5
8378b2f4882a9b61e019940785026797

SHA1
c2f3f68f5749fd1a82de626e2f07d15ba73ba200

SHA256
66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff

SHA512
c91903880e4b48f30060a3eccad8db7b53c8751750d4929c0829183c3b35fbe20e8dd0536fae9d141429d37f17067d56387f40ea55e4db3f2c4e3f808c9fa1a3

Download Submit
\Users\Admin\AppData\Local\Temp\7mtykblF.exe

Filesize
375KB

MD5
302b550f6b440569a514941583db4713

SHA1
65ec6e2f835592015a9e1c641aa8a02d4009b75e

SHA256
bef7c06bb40cd9cedaf3dc930462b2d89ade594901a5d98b91fb53f799c22140

SHA512
339e92a5e52d1fe95b66d8905480f52dba8de255576236952f5bf3e80674364afdbf273fe2d011c7afab63b57aba956f8a6f672094d7aed766a121981901d87d

Download Submit
memory/1076-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1076-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1076-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1076-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1076-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1156-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1336-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1336-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing