66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff

General

Target

66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
Size

375KB
MD5

8378b2f4882a9b61e019940785026797
SHA1

c2f3f68f5749fd1a82de626e2f07d15ba73ba200
SHA256

66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff
SHA512

c91903880e4b48f30060a3eccad8db7b53c8751750d4929c0829183c3b35fbe20e8dd0536fae9d141429d37f17067d56387f40ea55e4db3f2c4e3f808c9fa1a3
SSDEEP

6144:8Uvbxx27D7qzfe0gz/+PDQ6sNkJjBbTLbF58CVT2w:p+7n0feL/+Po29BbnbF5d9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2928	28jky204Vl7M0NRx.exe
3900	28jky204Vl7M0NRx.exe

Loads dropped DLL 4 IoCs

pid	Process
3572	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
3572	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
3900	28jky204Vl7M0NRx.exe
3900	28jky204Vl7M0NRx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GNv32poOrbixjfb = "C:\\ProgramData\\oDLp9KtP\\28jky204Vl7M0NRx.exe"	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 2928 set thread context of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 3900 set thread context of 4192	3900	28jky204Vl7M0NRx.exe	90

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 1832 wrote to memory of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 1832 wrote to memory of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 1832 wrote to memory of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 1832 wrote to memory of 3572	1832	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	82
PID 3572 wrote to memory of 2928	3572	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	86
PID 3572 wrote to memory of 2928	3572	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	86
PID 3572 wrote to memory of 2928	3572	66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe	86
PID 2928 wrote to memory of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 2928 wrote to memory of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 2928 wrote to memory of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 2928 wrote to memory of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 2928 wrote to memory of 3900	2928	28jky204Vl7M0NRx.exe	88
PID 3900 wrote to memory of 4192	3900	28jky204Vl7M0NRx.exe	90
PID 3900 wrote to memory of 4192	3900	28jky204Vl7M0NRx.exe	90
PID 3900 wrote to memory of 4192	3900	28jky204Vl7M0NRx.exe	90
PID 3900 wrote to memory of 4192	3900	28jky204Vl7M0NRx.exe	90
PID 3900 wrote to memory of 4192	3900	28jky204Vl7M0NRx.exe	90

C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
"C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe
  "C:\Users\Admin\AppData\Local\Temp\66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe
    "C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe
      "C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe" /i:3900
        5⤵
        
        PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe

Filesize
375KB

MD5
39978c8df1a1189bcb0c55f4fa84d3e4

SHA1
025609863d74428ab5e71db28f1bfc788836bfce

SHA256
5d4fd426462747c4955cd45d141c3169fd700c97ac32ed37140ac79b9c83191a

SHA512
868e1a1fbc12c335dd32983d8e21c2478728f5b921c8c76e4b8969932b4c7cf534877d86475af21d8774432767da9bedcacc9718242f5d96c1ae05c8763bc97e

Download Submit
C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe

Filesize
375KB

MD5
39978c8df1a1189bcb0c55f4fa84d3e4

SHA1
025609863d74428ab5e71db28f1bfc788836bfce

SHA256
5d4fd426462747c4955cd45d141c3169fd700c97ac32ed37140ac79b9c83191a

SHA512
868e1a1fbc12c335dd32983d8e21c2478728f5b921c8c76e4b8969932b4c7cf534877d86475af21d8774432767da9bedcacc9718242f5d96c1ae05c8763bc97e

Download Submit
C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe

Filesize
375KB

MD5
39978c8df1a1189bcb0c55f4fa84d3e4

SHA1
025609863d74428ab5e71db28f1bfc788836bfce

SHA256
5d4fd426462747c4955cd45d141c3169fd700c97ac32ed37140ac79b9c83191a

SHA512
868e1a1fbc12c335dd32983d8e21c2478728f5b921c8c76e4b8969932b4c7cf534877d86475af21d8774432767da9bedcacc9718242f5d96c1ae05c8763bc97e

Download Submit
C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe

Filesize
375KB

MD5
8378b2f4882a9b61e019940785026797

SHA1
c2f3f68f5749fd1a82de626e2f07d15ba73ba200

SHA256
66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff

SHA512
c91903880e4b48f30060a3eccad8db7b53c8751750d4929c0829183c3b35fbe20e8dd0536fae9d141429d37f17067d56387f40ea55e4db3f2c4e3f808c9fa1a3

Download Submit
C:\ProgramData\oDLp9KtP\28jky204Vl7M0NRx.exe

Filesize
375KB

MD5
8378b2f4882a9b61e019940785026797

SHA1
c2f3f68f5749fd1a82de626e2f07d15ba73ba200

SHA256
66674b58fcd2f2ba45bc0ce7ede7d78c0f811808ba7c837c882a2b9e487edaff

SHA512
c91903880e4b48f30060a3eccad8db7b53c8751750d4929c0829183c3b35fbe20e8dd0536fae9d141429d37f17067d56387f40ea55e4db3f2c4e3f808c9fa1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zTZcxeJzrSV.exe

Filesize
375KB

MD5
39978c8df1a1189bcb0c55f4fa84d3e4

SHA1
025609863d74428ab5e71db28f1bfc788836bfce

SHA256
5d4fd426462747c4955cd45d141c3169fd700c97ac32ed37140ac79b9c83191a

SHA512
868e1a1fbc12c335dd32983d8e21c2478728f5b921c8c76e4b8969932b4c7cf534877d86475af21d8774432767da9bedcacc9718242f5d96c1ae05c8763bc97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zTZcxeJzrSV.exe

Filesize
375KB

MD5
39978c8df1a1189bcb0c55f4fa84d3e4

SHA1
025609863d74428ab5e71db28f1bfc788836bfce

SHA256
5d4fd426462747c4955cd45d141c3169fd700c97ac32ed37140ac79b9c83191a

SHA512
868e1a1fbc12c335dd32983d8e21c2478728f5b921c8c76e4b8969932b4c7cf534877d86475af21d8774432767da9bedcacc9718242f5d96c1ae05c8763bc97e

Download Submit
memory/3572-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3572-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3572-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3572-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3572-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3572-139-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3900-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3900-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3900-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4192-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4192-160-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing