aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1

General

Target

aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
Size

250KB
MD5

3f3ce27a7c97c64045956757760879a9
SHA1

41ad1c0425ab67d95ce106e02de953a1398323c7
SHA256

aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1
SHA512

57db0b9b425d4dbcc5d795d4e66edb10f8aae7737bbc3484f7b9ca6e827d5ce10fdb0f1c10afef2e6fcc23819ddc183921ea1bcf6ba236f6ab9d714f919fe022
SSDEEP

6144:oxZ3+bJa368M6CkGdSO5wayVv1fofZFsJlN6hq9fimBJ2PN:orUspMkG87ZVdA8NgA/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1028	3CIx34TYdbyUpW.exe
584	3CIx34TYdbyUpW.exe

Deletes itself 1 IoCs

pid	Process
584	3CIx34TYdbyUpW.exe

Loads dropped DLL 4 IoCs

pid	Process
1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
584	3CIx34TYdbyUpW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\tkj0fDW2JFMw = "C:\\ProgramData\\aJmre8LSmz\\3CIx34TYdbyUpW.exe"	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1028 set thread context of 584	1028	3CIx34TYdbyUpW.exe	29
PID 584 set thread context of 1108	584	3CIx34TYdbyUpW.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1672 wrote to memory of 1724	1672	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	27
PID 1724 wrote to memory of 1028	1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	28
PID 1724 wrote to memory of 1028	1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	28
PID 1724 wrote to memory of 1028	1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	28
PID 1724 wrote to memory of 1028	1724	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	28
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 1028 wrote to memory of 584	1028	3CIx34TYdbyUpW.exe	29
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30
PID 584 wrote to memory of 1108	584	3CIx34TYdbyUpW.exe	30

C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
"C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
  "C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe
    "C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe
      "C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe" /i:584
        5⤵
        
        PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
C:\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
\ProgramData\aJmre8LSmz\3CIx34TYdbyUpW.exe

Filesize
250KB

MD5
3f3ce27a7c97c64045956757760879a9

SHA1
41ad1c0425ab67d95ce106e02de953a1398323c7

SHA256
aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1

SHA512
57db0b9b425d4dbcc5d795d4e66edb10f8aae7737bbc3484f7b9ca6e827d5ce10fdb0f1c10afef2e6fcc23819ddc183921ea1bcf6ba236f6ab9d714f919fe022

Download Submit
\Users\Admin\AppData\Local\Temp\Gim9iQyo1bc95C.exe

Filesize
250KB

MD5
edd2fbbf4a7ea42c8802ae1e3aa4cf10

SHA1
15041e6d90f907b5683d4104f02ebcf1899ad0d1

SHA256
aecc6237caec5e2f8749fa0324d09bc7cfb41c480ba2a91e8e6a2aff0be0346c

SHA512
79983f3a4e70fd708afa67b52f0f098c47220f7d352e910a06e4e01b40e8f8297e31df20351784b03b77e4106f6a042d996d95d39808c31f915ebc522c4fd3c6

Download Submit
memory/584-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/584-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1108-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1108-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1724-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1724-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1724-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1724-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1724-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing