e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36

General

Target

e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
Size

356KB
MD5

16992477af6c1128ccf8e2bb7d41b165
SHA1

f0a8f7bc308ee177dd83df0f573a2ea6654be847
SHA256

e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36
SHA512

9cb37d03753d1ccdaaf9952d64b1d6ec671e86d509e77e48137d13ea4afad452c7a413e7fc1d9231da253198e7d7d5756c702ebe176be9d7de276ba946a42117
SSDEEP

6144:7vbx8OOArW84uuJTVZS0EMja2G6dJfoWSXlAiETbld6stREj:7LO2dsFjc6Q7GlFRs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
992	sQQOjOTB.exe
296	sQQOjOTB.exe

Deletes itself 1 IoCs

pid	Process
296	sQQOjOTB.exe

Loads dropped DLL 4 IoCs

pid	Process
752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
296	sQQOjOTB.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPIICCTdD = "C:\\ProgramData\\tzKzFt08skl5\\sQQOjOTB.exe"	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 992 set thread context of 296	992	sQQOjOTB.exe	30
PID 296 set thread context of 1668	296	sQQOjOTB.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 1516 wrote to memory of 752	1516	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	28
PID 752 wrote to memory of 992	752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	29
PID 752 wrote to memory of 992	752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	29
PID 752 wrote to memory of 992	752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	29
PID 752 wrote to memory of 992	752	e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe	29
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 992 wrote to memory of 296	992	sQQOjOTB.exe	30
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31
PID 296 wrote to memory of 1668	296	sQQOjOTB.exe	31

C:\Users\Admin\AppData\Local\Temp\e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
"C:\Users\Admin\AppData\Local\Temp\e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe
  "C:\Users\Admin\AppData\Local\Temp\e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe
    "C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe
      "C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:296
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe" /i:296
        5⤵
        
        PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
C:\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
\ProgramData\tzKzFt08skl5\sQQOjOTB.exe

Filesize
356KB

MD5
16992477af6c1128ccf8e2bb7d41b165

SHA1
f0a8f7bc308ee177dd83df0f573a2ea6654be847

SHA256
e9fdbdfd601f207f79d1eec6b55705b36ab482eac832f9f4ebf07a7878710a36

SHA512
9cb37d03753d1ccdaaf9952d64b1d6ec671e86d509e77e48137d13ea4afad452c7a413e7fc1d9231da253198e7d7d5756c702ebe176be9d7de276ba946a42117

Download Submit
\Users\Admin\AppData\Local\Temp\9CtplJZ2B.exe

Filesize
356KB

MD5
2ce0b699274fd451c88db973d0b0b4c0

SHA1
3eb737c06d201d63387ed17b8dafacb180594be1

SHA256
e780c7aee84831c2042fb957cf9a6ba3bb76e4c9f4cbb6ebe2966097ac89c054

SHA512
ed89351562a1104999d8beb1823c8e8395f4cb818490dca85f50e51336a87788328eae28bc5643d9ab3c7ff69f404b45e2d7ae38dac0eea7d13f7e66200952ec

Download Submit
memory/296-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/296-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/752-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1668-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1668-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing