f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062

General

Target

f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
Size

351KB
MD5

5535994fb3a321f28bfec5c4ca9a6cb9
SHA1

f3d2afeb4b358cea835d30d5148c54b514aa84a4
SHA256

f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062
SHA512

19041c7c29106fd8118bfee156593d3e824234e28413357e9759d320c5cece0c4ffc26ef7c68e7b28bccbc4c5c0c83aa4e35ed6872ef9b84c4b667a470d64763
SSDEEP

6144:Z3c4cg0RO2MRcCv/5uj7Pe5waEnYCqqGDWLvePE2+EJXeOeZydt:ZiBTMRcCvh27GunAhWr4EpEJXeTA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1360	LMwwZF9KmDIEkhK3.exe
672	LMwwZF9KmDIEkhK3.exe

Deletes itself 1 IoCs

pid	Process
672	LMwwZF9KmDIEkhK3.exe

Loads dropped DLL 4 IoCs

pid	Process
1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
672	LMwwZF9KmDIEkhK3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCstiCC6ZanPMp6 = "C:\\ProgramData\\lS9yV6aRMDG9lc\\LMwwZF9KmDIEkhK3.exe"	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1360 set thread context of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 672 set thread context of 1136	672	LMwwZF9KmDIEkhK3.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1484 wrote to memory of 1116	1484	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	27
PID 1116 wrote to memory of 1360	1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	28
PID 1116 wrote to memory of 1360	1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	28
PID 1116 wrote to memory of 1360	1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	28
PID 1116 wrote to memory of 1360	1116	f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe	28
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 1360 wrote to memory of 672	1360	LMwwZF9KmDIEkhK3.exe	29
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30
PID 672 wrote to memory of 1136	672	LMwwZF9KmDIEkhK3.exe	30

C:\Users\Admin\AppData\Local\Temp\f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
"C:\Users\Admin\AppData\Local\Temp\f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe
  "C:\Users\Admin\AppData\Local\Temp\f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe
    "C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe
      "C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe" /i:672
        5⤵
        
        PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
C:\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
\ProgramData\lS9yV6aRMDG9lc\LMwwZF9KmDIEkhK3.exe

Filesize
351KB

MD5
5535994fb3a321f28bfec5c4ca9a6cb9

SHA1
f3d2afeb4b358cea835d30d5148c54b514aa84a4

SHA256
f8706ea6ca69ea2c540febe6a59702084b930776fa47b39497272b46a0540062

SHA512
19041c7c29106fd8118bfee156593d3e824234e28413357e9759d320c5cece0c4ffc26ef7c68e7b28bccbc4c5c0c83aa4e35ed6872ef9b84c4b667a470d64763

Download Submit
\Users\Admin\AppData\Local\Temp\kWYWiuT6Bvunun.exe

Filesize
351KB

MD5
dbc69af228c51c7a62dd9e23663f7c90

SHA1
8a07dd36e4bfba2b9a3e41a057c0c23993d5829a

SHA256
e0096903e843729463a40d42917d83a55eec295a2efc9e4b3bac28ba47d8e9c5

SHA512
2b4945bf0ce6799187a8292c920e342b093c52dc7cd3ae204a7ec23f4ca5653f6042a0e1dfbfd96d8e171d07af8bb293e3b5fe5fc16673ab9cae381cf2d7eaa6

Download Submit
memory/672-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/672-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1136-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1136-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing