2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236

General

Target

2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
Size

267KB
MD5

1e7f33ab7b2afd6ad43db35218c2a920
SHA1

5c86f0e35cb0c828fec223ae975275980c03b21b
SHA256

2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236
SHA512

e723fadfa182eff0c5d36a3169393a8bfea84dcf595a4a425d9937f920a4aba9847f3a43b83ca52a60e1a235aff7d51aa97d6c309ffcf410aa0234999d084549
SSDEEP

6144:KxZacIb6dRk68ciOXPSLy4IOcDYCNMiZICI5:KpRk6tiOXR4Jc8RiI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4576	GAicO2ux.exe
1508	GAicO2ux.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
1964	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
1508	GAicO2ux.exe
1508	GAicO2ux.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\z0023DFo = "C:\\ProgramData\\f64KTabkTRj\\GAicO2ux.exe"	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 4576 set thread context of 1508	4576	GAicO2ux.exe	86
PID 1508 set thread context of 4500	1508	GAicO2ux.exe	87

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 848 wrote to memory of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 848 wrote to memory of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 848 wrote to memory of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 848 wrote to memory of 1964	848	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	84
PID 1964 wrote to memory of 4576	1964	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	85
PID 1964 wrote to memory of 4576	1964	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	85
PID 1964 wrote to memory of 4576	1964	2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe	85
PID 4576 wrote to memory of 1508	4576	GAicO2ux.exe	86
PID 4576 wrote to memory of 1508	4576	GAicO2ux.exe	86
PID 4576 wrote to memory of 1508	4576	GAicO2ux.exe	86
PID 4576 wrote to memory of 1508	4576	GAicO2ux.exe	86
PID 4576 wrote to memory of 1508	4576	GAicO2ux.exe	86
PID 1508 wrote to memory of 4500	1508	GAicO2ux.exe	87
PID 1508 wrote to memory of 4500	1508	GAicO2ux.exe	87
PID 1508 wrote to memory of 4500	1508	GAicO2ux.exe	87
PID 1508 wrote to memory of 4500	1508	GAicO2ux.exe	87
PID 1508 wrote to memory of 4500	1508	GAicO2ux.exe	87

C:\Users\Admin\AppData\Local\Temp\2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
"C:\Users\Admin\AppData\Local\Temp\2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe
  "C:\Users\Admin\AppData\Local\Temp\2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\ProgramData\f64KTabkTRj\GAicO2ux.exe
    "C:\ProgramData\f64KTabkTRj\GAicO2ux.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\ProgramData\f64KTabkTRj\GAicO2ux.exe
      "C:\ProgramData\f64KTabkTRj\GAicO2ux.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe" /i:1508
        5⤵
        
        PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\f64KTabkTRj\GAicO2ux.exe

Filesize
267KB

MD5
1e7f33ab7b2afd6ad43db35218c2a920

SHA1
5c86f0e35cb0c828fec223ae975275980c03b21b

SHA256
2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236

SHA512
e723fadfa182eff0c5d36a3169393a8bfea84dcf595a4a425d9937f920a4aba9847f3a43b83ca52a60e1a235aff7d51aa97d6c309ffcf410aa0234999d084549

Download Submit
C:\ProgramData\f64KTabkTRj\GAicO2ux.exe

Filesize
267KB

MD5
1e7f33ab7b2afd6ad43db35218c2a920

SHA1
5c86f0e35cb0c828fec223ae975275980c03b21b

SHA256
2d6fc2a4cab93c3d4566a5acfa8311c9ab0b9915cd19e66fa7b8f2140a214236

SHA512
e723fadfa182eff0c5d36a3169393a8bfea84dcf595a4a425d9937f920a4aba9847f3a43b83ca52a60e1a235aff7d51aa97d6c309ffcf410aa0234999d084549

Download Submit
C:\ProgramData\f64KTabkTRj\GAicO2ux.exe

Filesize
267KB

MD5
abd16ec990e50051e5d139c63c01267e

SHA1
9c7697fdac3f82ed998fb5f33ffa472dc4ea328d

SHA256
71b7036cf78cc1cef83a6fbefaa73a652a6ba637951df70073b85426a418a7e2

SHA512
e995632a34773809ea459229b4c6951fb748389267d987911ad83ddbc6cba424a2a18f2deef8dd89e5ede37d1ed85f29a5362bbf183cd32fdbfd7321d2caadef

Download Submit
C:\ProgramData\f64KTabkTRj\GAicO2ux.exe

Filesize
267KB

MD5
abd16ec990e50051e5d139c63c01267e

SHA1
9c7697fdac3f82ed998fb5f33ffa472dc4ea328d

SHA256
71b7036cf78cc1cef83a6fbefaa73a652a6ba637951df70073b85426a418a7e2

SHA512
e995632a34773809ea459229b4c6951fb748389267d987911ad83ddbc6cba424a2a18f2deef8dd89e5ede37d1ed85f29a5362bbf183cd32fdbfd7321d2caadef

Download Submit
C:\ProgramData\f64KTabkTRj\GAicO2ux.exe

Filesize
267KB

MD5
abd16ec990e50051e5d139c63c01267e

SHA1
9c7697fdac3f82ed998fb5f33ffa472dc4ea328d

SHA256
71b7036cf78cc1cef83a6fbefaa73a652a6ba637951df70073b85426a418a7e2

SHA512
e995632a34773809ea459229b4c6951fb748389267d987911ad83ddbc6cba424a2a18f2deef8dd89e5ede37d1ed85f29a5362bbf183cd32fdbfd7321d2caadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\hLz6g7XlaBl.exe

Filesize
267KB

MD5
abd16ec990e50051e5d139c63c01267e

SHA1
9c7697fdac3f82ed998fb5f33ffa472dc4ea328d

SHA256
71b7036cf78cc1cef83a6fbefaa73a652a6ba637951df70073b85426a418a7e2

SHA512
e995632a34773809ea459229b4c6951fb748389267d987911ad83ddbc6cba424a2a18f2deef8dd89e5ede37d1ed85f29a5362bbf183cd32fdbfd7321d2caadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\hLz6g7XlaBl.exe

Filesize
267KB

MD5
abd16ec990e50051e5d139c63c01267e

SHA1
9c7697fdac3f82ed998fb5f33ffa472dc4ea328d

SHA256
71b7036cf78cc1cef83a6fbefaa73a652a6ba637951df70073b85426a418a7e2

SHA512
e995632a34773809ea459229b4c6951fb748389267d987911ad83ddbc6cba424a2a18f2deef8dd89e5ede37d1ed85f29a5362bbf183cd32fdbfd7321d2caadef

Download Submit
memory/1508-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1508-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1508-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-143-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-139-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4500-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing