3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f

General

Target

3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
Size

411KB
MD5

3313b1f293772f7310980f3b0ef93b90
SHA1

6e63c9cedb3cdfc35478979191a215ac9847afc9
SHA256

3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f
SHA512

2895fc2a8f9086a6546b960279c8644c21134ae990ba2e6674b35e31c726a5a37d28cfe83928560fe5be5d6330bc83477a8db6e11957178964c842cce8dd8b0f
SSDEEP

6144:9GK72EZbDOtFRJK4KRKivutOgKcIU4KAF7yHh3bM8:9pZbDGpiAHfOE5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1768	xe4KjpOQJaRLmiY.exe
1436	xe4KjpOQJaRLmiY.exe

Deletes itself 1 IoCs

pid	Process
1436	xe4KjpOQJaRLmiY.exe

Loads dropped DLL 4 IoCs

pid	Process
960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
1436	xe4KjpOQJaRLmiY.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUBka7jBVPaH = "C:\\ProgramData\\VwBEgtBI7p34maiZ\\xe4KjpOQJaRLmiY.exe"	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 1768 set thread context of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1436 set thread context of 1444	1436	xe4KjpOQJaRLmiY.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 564 wrote to memory of 960	564	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	28
PID 960 wrote to memory of 1768	960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	29
PID 960 wrote to memory of 1768	960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	29
PID 960 wrote to memory of 1768	960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	29
PID 960 wrote to memory of 1768	960	3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe	29
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1768 wrote to memory of 1436	1768	xe4KjpOQJaRLmiY.exe	30
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31
PID 1436 wrote to memory of 1444	1436	xe4KjpOQJaRLmiY.exe	31

C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
"C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe
  "C:\Users\Admin\AppData\Local\Temp\3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe
    "C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe
      "C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe" /i:1436
        5⤵
        
        PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
C:\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
\ProgramData\VwBEgtBI7p34maiZ\xe4KjpOQJaRLmiY.exe

Filesize
411KB

MD5
3313b1f293772f7310980f3b0ef93b90

SHA1
6e63c9cedb3cdfc35478979191a215ac9847afc9

SHA256
3deadf1cf2074dcf6fd56bad067c1baa176e6ca167c4ae2b5c60b0c966044a9f

SHA512
2895fc2a8f9086a6546b960279c8644c21134ae990ba2e6674b35e31c726a5a37d28cfe83928560fe5be5d6330bc83477a8db6e11957178964c842cce8dd8b0f

Download Submit
\Users\Admin\AppData\Local\Temp\m7RMr1ODZ.exe

Filesize
411KB

MD5
ce9fad414472c391f47eace4c70ff00e

SHA1
752e258f03115ea624e89ae91cbe3ac508d46d3a

SHA256
7db82115727dc24c529026dc4924bbf9d1746a2ceeb311795c218ae0dc0c70f5

SHA512
7cb7d0a2a54b83b75cf7da3642c114e6c00fff8113229dbc1fe35911521dc16477c90871285b35a338c797f45758f7d811039272567a0e04b449fc16e9cf6451

Download Submit
memory/960-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1436-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1436-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1436-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1444-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing