d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4

General

Target

d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
Size

411KB
MD5

d60834c15d6f7f934f490ba86cdabe67
SHA1

3c2bc5eadbbdaa4bcc2f20df4e7a2c2105dd83b7
SHA256

d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4
SHA512

46cdbe31c4fb3a255c2cb292fc13e3a409de481d9f69c19900713f132482c4768136d4f2f0fcf6a6f155802815c19d2add47feeeec51c3051ac32555ced43f90
SSDEEP

6144:9GK72n5/Ud/JuoWrJ8/wzGn/N5H3iHNzVNx3dKn:9pe5MV1WrJtC5XszVNx3dKn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
980	5ngY1TnJTB2ZClLL.exe
1480	5ngY1TnJTB2ZClLL.exe

Deletes itself 1 IoCs

pid	Process
1480	5ngY1TnJTB2ZClLL.exe

Loads dropped DLL 4 IoCs

pid	Process
872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
1480	5ngY1TnJTB2ZClLL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\k9YRBDR7bpbnzS9E = "C:\\ProgramData\\Vr3qWqAjBvUcwRi\\5ngY1TnJTB2ZClLL.exe"	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 980 set thread context of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 1480 set thread context of 1712	1480	5ngY1TnJTB2ZClLL.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 108 wrote to memory of 872	108	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	27
PID 872 wrote to memory of 980	872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	28
PID 872 wrote to memory of 980	872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	28
PID 872 wrote to memory of 980	872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	28
PID 872 wrote to memory of 980	872	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	28
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 980 wrote to memory of 1480	980	5ngY1TnJTB2ZClLL.exe	29
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30
PID 1480 wrote to memory of 1712	1480	5ngY1TnJTB2ZClLL.exe	30

C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
"C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
  "C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe
    "C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe
      "C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe" /i:1480
        5⤵
        
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
C:\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
\ProgramData\Vr3qWqAjBvUcwRi\5ngY1TnJTB2ZClLL.exe

Filesize
411KB

MD5
d60834c15d6f7f934f490ba86cdabe67

SHA1
3c2bc5eadbbdaa4bcc2f20df4e7a2c2105dd83b7

SHA256
d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4

SHA512
46cdbe31c4fb3a255c2cb292fc13e3a409de481d9f69c19900713f132482c4768136d4f2f0fcf6a6f155802815c19d2add47feeeec51c3051ac32555ced43f90

Download Submit
\Users\Admin\AppData\Local\Temp\WNJQTnciMWtb9e9U.exe

Filesize
411KB

MD5
e6590f11a9661d357ba9c4f0354342fa

SHA1
7705b6ebf14c9d05e6988f3fba0debb65732f847

SHA256
58dac4db9f0e29458cefcf342b5a45055c7a809d8b2ea14408ba45b90f2c3b63

SHA512
ce57ef6111f9bf81a2192c5d3a4ebc229771357e594b2cd5b898eb4d4edbb21ba0dce72064ffde320b6d982e40dbb8a801c1533d0f25c19662a1f3d389e6f18a

Download Submit
memory/872-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/872-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/872-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/872-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/872-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1480-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1480-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1712-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1712-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing