6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da

General

Target

6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
Size

411KB
MD5

721af4dcda17f229482d4fe6ab044c8a
SHA1

5c8da5b5c42f4868e42a39dfd5d09f68d181dffb
SHA256

6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da
SHA512

8f0087daf0de7c07d67768848cfd918bd269a37048722b32472d4db81921d1e0582c6b11ca00e11a2c905d1d334d1eaf11ccaa883bb3d27781003f4e5fa721ca
SSDEEP

6144:9GK72ZpFpQ+kqVqd0b+bpq5beuldHHnbs2:9pAzOfqVqdJEFZdnw2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4892	W81BNSpLFtMlszQt.exe
4968	W81BNSpLFtMlszQt.exe

Loads dropped DLL 4 IoCs

pid	Process
3884	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
3884	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
4968	W81BNSpLFtMlszQt.exe
4968	W81BNSpLFtMlszQt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2o3UJ6gyO4 = "C:\\ProgramData\\waMX3p9TiSdYxPXX\\W81BNSpLFtMlszQt.exe"	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2500 set thread context of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 4892 set thread context of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4968 set thread context of 3132	4968	W81BNSpLFtMlszQt.exe	87

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 2500 wrote to memory of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 2500 wrote to memory of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 2500 wrote to memory of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 2500 wrote to memory of 3884	2500	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	81
PID 3884 wrote to memory of 4892	3884	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	82
PID 3884 wrote to memory of 4892	3884	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	82
PID 3884 wrote to memory of 4892	3884	6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe	82
PID 4892 wrote to memory of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4892 wrote to memory of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4892 wrote to memory of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4892 wrote to memory of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4892 wrote to memory of 4968	4892	W81BNSpLFtMlszQt.exe	83
PID 4968 wrote to memory of 1876	4968	W81BNSpLFtMlszQt.exe	84
PID 4968 wrote to memory of 1876	4968	W81BNSpLFtMlszQt.exe	84
PID 4968 wrote to memory of 1876	4968	W81BNSpLFtMlszQt.exe	84
PID 4968 wrote to memory of 3132	4968	W81BNSpLFtMlszQt.exe	87
PID 4968 wrote to memory of 3132	4968	W81BNSpLFtMlszQt.exe	87
PID 4968 wrote to memory of 3132	4968	W81BNSpLFtMlszQt.exe	87
PID 4968 wrote to memory of 3132	4968	W81BNSpLFtMlszQt.exe	87
PID 4968 wrote to memory of 3132	4968	W81BNSpLFtMlszQt.exe	87

C:\Users\Admin\AppData\Local\Temp\6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
"C:\Users\Admin\AppData\Local\Temp\6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe
  "C:\Users\Admin\AppData\Local\Temp\6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe
    "C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe
      "C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /i:4968
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /i:4968
        5⤵
        
        PID:3132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe

Filesize
411KB

MD5
721af4dcda17f229482d4fe6ab044c8a

SHA1
5c8da5b5c42f4868e42a39dfd5d09f68d181dffb

SHA256
6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da

SHA512
8f0087daf0de7c07d67768848cfd918bd269a37048722b32472d4db81921d1e0582c6b11ca00e11a2c905d1d334d1eaf11ccaa883bb3d27781003f4e5fa721ca

Download Submit
C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe

Filesize
411KB

MD5
721af4dcda17f229482d4fe6ab044c8a

SHA1
5c8da5b5c42f4868e42a39dfd5d09f68d181dffb

SHA256
6313d69524ac481b704d72bf4f6d7b65a10710b5daa6a39e08026559f7e589da

SHA512
8f0087daf0de7c07d67768848cfd918bd269a37048722b32472d4db81921d1e0582c6b11ca00e11a2c905d1d334d1eaf11ccaa883bb3d27781003f4e5fa721ca

Download Submit
C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe

Filesize
411KB

MD5
b1e994be03e86aa100fc065363cb2b12

SHA1
31f285d8ea16c63e86b9f47fab759bf2f4bc0b6e

SHA256
99655c67af2ab305495ab94fc7cbd820384a9d3685ae120e98f5d4dba281e24a

SHA512
2c8b2c64794a11b60837f4fe3b99680883bdf60923517be293e0010ced2e191638c43933bb9ea26f96d8da155439b5d5bbc223b755b1e03f468300060ac11ed0

Download Submit
C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe

Filesize
411KB

MD5
b1e994be03e86aa100fc065363cb2b12

SHA1
31f285d8ea16c63e86b9f47fab759bf2f4bc0b6e

SHA256
99655c67af2ab305495ab94fc7cbd820384a9d3685ae120e98f5d4dba281e24a

SHA512
2c8b2c64794a11b60837f4fe3b99680883bdf60923517be293e0010ced2e191638c43933bb9ea26f96d8da155439b5d5bbc223b755b1e03f468300060ac11ed0

Download Submit
C:\ProgramData\waMX3p9TiSdYxPXX\W81BNSpLFtMlszQt.exe

Filesize
411KB

MD5
b1e994be03e86aa100fc065363cb2b12

SHA1
31f285d8ea16c63e86b9f47fab759bf2f4bc0b6e

SHA256
99655c67af2ab305495ab94fc7cbd820384a9d3685ae120e98f5d4dba281e24a

SHA512
2c8b2c64794a11b60837f4fe3b99680883bdf60923517be293e0010ced2e191638c43933bb9ea26f96d8da155439b5d5bbc223b755b1e03f468300060ac11ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AfrHgeCFT.exe

Filesize
411KB

MD5
b1e994be03e86aa100fc065363cb2b12

SHA1
31f285d8ea16c63e86b9f47fab759bf2f4bc0b6e

SHA256
99655c67af2ab305495ab94fc7cbd820384a9d3685ae120e98f5d4dba281e24a

SHA512
2c8b2c64794a11b60837f4fe3b99680883bdf60923517be293e0010ced2e191638c43933bb9ea26f96d8da155439b5d5bbc223b755b1e03f468300060ac11ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AfrHgeCFT.exe

Filesize
411KB

MD5
b1e994be03e86aa100fc065363cb2b12

SHA1
31f285d8ea16c63e86b9f47fab759bf2f4bc0b6e

SHA256
99655c67af2ab305495ab94fc7cbd820384a9d3685ae120e98f5d4dba281e24a

SHA512
2c8b2c64794a11b60837f4fe3b99680883bdf60923517be293e0010ced2e191638c43933bb9ea26f96d8da155439b5d5bbc223b755b1e03f468300060ac11ed0

Download Submit
memory/3132-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3884-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4968-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4968-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4968-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing