d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4

General

Target

d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
Size

411KB
MD5

d60834c15d6f7f934f490ba86cdabe67
SHA1

3c2bc5eadbbdaa4bcc2f20df4e7a2c2105dd83b7
SHA256

d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4
SHA512

46cdbe31c4fb3a255c2cb292fc13e3a409de481d9f69c19900713f132482c4768136d4f2f0fcf6a6f155802815c19d2add47feeeec51c3051ac32555ced43f90
SSDEEP

6144:9GK72n5/Ud/JuoWrJ8/wzGn/N5H3iHNzVNx3dKn:9pe5MV1WrJtC5XszVNx3dKn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5036	FCWnAPCpKimmChan.exe
4912	FCWnAPCpKimmChan.exe

Loads dropped DLL 4 IoCs

pid	Process
4084	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
4084	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
4912	FCWnAPCpKimmChan.exe
4912	FCWnAPCpKimmChan.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s32LZnAlqbrUQR = "C:\\ProgramData\\WEq2rzzsPFlB10\\FCWnAPCpKimmChan.exe"	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 5036 set thread context of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 4912 set thread context of 1140	4912	FCWnAPCpKimmChan.exe	82

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 2720 wrote to memory of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 2720 wrote to memory of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 2720 wrote to memory of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 2720 wrote to memory of 4084	2720	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	79
PID 4084 wrote to memory of 5036	4084	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	80
PID 4084 wrote to memory of 5036	4084	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	80
PID 4084 wrote to memory of 5036	4084	d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe	80
PID 5036 wrote to memory of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 5036 wrote to memory of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 5036 wrote to memory of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 5036 wrote to memory of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 5036 wrote to memory of 4912	5036	FCWnAPCpKimmChan.exe	81
PID 4912 wrote to memory of 1140	4912	FCWnAPCpKimmChan.exe	82
PID 4912 wrote to memory of 1140	4912	FCWnAPCpKimmChan.exe	82
PID 4912 wrote to memory of 1140	4912	FCWnAPCpKimmChan.exe	82
PID 4912 wrote to memory of 1140	4912	FCWnAPCpKimmChan.exe	82
PID 4912 wrote to memory of 1140	4912	FCWnAPCpKimmChan.exe	82

C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
"C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe
  "C:\Users\Admin\AppData\Local\Temp\d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe
    "C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe
      "C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe" /i:4912
        5⤵
        
        PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe

Filesize
411KB

MD5
d60834c15d6f7f934f490ba86cdabe67

SHA1
3c2bc5eadbbdaa4bcc2f20df4e7a2c2105dd83b7

SHA256
d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4

SHA512
46cdbe31c4fb3a255c2cb292fc13e3a409de481d9f69c19900713f132482c4768136d4f2f0fcf6a6f155802815c19d2add47feeeec51c3051ac32555ced43f90

Download Submit
C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe

Filesize
411KB

MD5
d60834c15d6f7f934f490ba86cdabe67

SHA1
3c2bc5eadbbdaa4bcc2f20df4e7a2c2105dd83b7

SHA256
d768894f9959c3feb3588e737a8581a76535220cb8d550b0272aba13926a03f4

SHA512
46cdbe31c4fb3a255c2cb292fc13e3a409de481d9f69c19900713f132482c4768136d4f2f0fcf6a6f155802815c19d2add47feeeec51c3051ac32555ced43f90

Download Submit
C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe

Filesize
411KB

MD5
ed064e0b747c6fd091a2077b614c80b1

SHA1
4d536a1993110860195d0f7813297108fd5c68e9

SHA256
d4e50da43513558dfc58ac22a893361ae54944b050e4a376c99d722ed4347043

SHA512
b7177893314f5a264375dc1a5bd0e356b11c3cce659086ceb5497313d182cba51542c126e47b7237c2ea2941cabac1c92281a4da3d0976ae44041d02cb5cb251

Download Submit
C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe

Filesize
411KB

MD5
ed064e0b747c6fd091a2077b614c80b1

SHA1
4d536a1993110860195d0f7813297108fd5c68e9

SHA256
d4e50da43513558dfc58ac22a893361ae54944b050e4a376c99d722ed4347043

SHA512
b7177893314f5a264375dc1a5bd0e356b11c3cce659086ceb5497313d182cba51542c126e47b7237c2ea2941cabac1c92281a4da3d0976ae44041d02cb5cb251

Download Submit
C:\ProgramData\WEq2rzzsPFlB10\FCWnAPCpKimmChan.exe

Filesize
411KB

MD5
ed064e0b747c6fd091a2077b614c80b1

SHA1
4d536a1993110860195d0f7813297108fd5c68e9

SHA256
d4e50da43513558dfc58ac22a893361ae54944b050e4a376c99d722ed4347043

SHA512
b7177893314f5a264375dc1a5bd0e356b11c3cce659086ceb5497313d182cba51542c126e47b7237c2ea2941cabac1c92281a4da3d0976ae44041d02cb5cb251

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CQMb98nUvK.exe

Filesize
411KB

MD5
ed064e0b747c6fd091a2077b614c80b1

SHA1
4d536a1993110860195d0f7813297108fd5c68e9

SHA256
d4e50da43513558dfc58ac22a893361ae54944b050e4a376c99d722ed4347043

SHA512
b7177893314f5a264375dc1a5bd0e356b11c3cce659086ceb5497313d182cba51542c126e47b7237c2ea2941cabac1c92281a4da3d0976ae44041d02cb5cb251

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CQMb98nUvK.exe

Filesize
411KB

MD5
ed064e0b747c6fd091a2077b614c80b1

SHA1
4d536a1993110860195d0f7813297108fd5c68e9

SHA256
d4e50da43513558dfc58ac22a893361ae54944b050e4a376c99d722ed4347043

SHA512
b7177893314f5a264375dc1a5bd0e356b11c3cce659086ceb5497313d182cba51542c126e47b7237c2ea2941cabac1c92281a4da3d0976ae44041d02cb5cb251

Download Submit
memory/1140-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1140-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4084-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4084-143-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4084-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4084-137-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing