aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1

General

Target

aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
Size

250KB
MD5

3f3ce27a7c97c64045956757760879a9
SHA1

41ad1c0425ab67d95ce106e02de953a1398323c7
SHA256

aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1
SHA512

57db0b9b425d4dbcc5d795d4e66edb10f8aae7737bbc3484f7b9ca6e827d5ce10fdb0f1c10afef2e6fcc23819ddc183921ea1bcf6ba236f6ab9d714f919fe022
SSDEEP

6144:oxZ3+bJa368M6CkGdSO5wayVv1fofZFsJlN6hq9fimBJ2PN:orUspMkG87ZVdA8NgA/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
208	MdqiMwKY.exe
1172	MdqiMwKY.exe

Loads dropped DLL 4 IoCs

pid	Process
4124	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
4124	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
1172	MdqiMwKY.exe
1172	MdqiMwKY.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hoexElyOAP3I = "C:\\ProgramData\\CS3uauPjpd2J\\MdqiMwKY.exe"	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 208 set thread context of 1172	208	MdqiMwKY.exe	83
PID 1172 set thread context of 2164	1172	MdqiMwKY.exe	84

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 5092 wrote to memory of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 5092 wrote to memory of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 5092 wrote to memory of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 5092 wrote to memory of 4124	5092	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	81
PID 4124 wrote to memory of 208	4124	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	82
PID 4124 wrote to memory of 208	4124	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	82
PID 4124 wrote to memory of 208	4124	aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe	82
PID 208 wrote to memory of 1172	208	MdqiMwKY.exe	83
PID 208 wrote to memory of 1172	208	MdqiMwKY.exe	83
PID 208 wrote to memory of 1172	208	MdqiMwKY.exe	83
PID 208 wrote to memory of 1172	208	MdqiMwKY.exe	83
PID 208 wrote to memory of 1172	208	MdqiMwKY.exe	83
PID 1172 wrote to memory of 2164	1172	MdqiMwKY.exe	84
PID 1172 wrote to memory of 2164	1172	MdqiMwKY.exe	84
PID 1172 wrote to memory of 2164	1172	MdqiMwKY.exe	84
PID 1172 wrote to memory of 2164	1172	MdqiMwKY.exe	84
PID 1172 wrote to memory of 2164	1172	MdqiMwKY.exe	84

C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
"C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe
  "C:\Users\Admin\AppData\Local\Temp\aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe
    "C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe
      "C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" /i:1172
        5⤵
        
        PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe

Filesize
250KB

MD5
3f3ce27a7c97c64045956757760879a9

SHA1
41ad1c0425ab67d95ce106e02de953a1398323c7

SHA256
aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1

SHA512
57db0b9b425d4dbcc5d795d4e66edb10f8aae7737bbc3484f7b9ca6e827d5ce10fdb0f1c10afef2e6fcc23819ddc183921ea1bcf6ba236f6ab9d714f919fe022

Download Submit
C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe

Filesize
250KB

MD5
3f3ce27a7c97c64045956757760879a9

SHA1
41ad1c0425ab67d95ce106e02de953a1398323c7

SHA256
aca1c22260a3300ef143836b217e4ba9f09dde89e5163d24639e7c94121906d1

SHA512
57db0b9b425d4dbcc5d795d4e66edb10f8aae7737bbc3484f7b9ca6e827d5ce10fdb0f1c10afef2e6fcc23819ddc183921ea1bcf6ba236f6ab9d714f919fe022

Download Submit
C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe

Filesize
250KB

MD5
02919d49a9b5392ec6ab70a91dd991db

SHA1
66429983ee94fd48e95db1697876c1cd68844bfd

SHA256
649e5a80278f20b0e8803612f0a870b97be1befbcd41bbf48b3a593dde763959

SHA512
54f6727f49374c6a8c193af5b972a04b5d9257c3b7030f7f22a4c1498c001ab31bdbe8337fd63e50255e3d164d09ec1cb2f3a597093e8bfe2f5ab297902add45

Download Submit
C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe

Filesize
250KB

MD5
02919d49a9b5392ec6ab70a91dd991db

SHA1
66429983ee94fd48e95db1697876c1cd68844bfd

SHA256
649e5a80278f20b0e8803612f0a870b97be1befbcd41bbf48b3a593dde763959

SHA512
54f6727f49374c6a8c193af5b972a04b5d9257c3b7030f7f22a4c1498c001ab31bdbe8337fd63e50255e3d164d09ec1cb2f3a597093e8bfe2f5ab297902add45

Download Submit
C:\ProgramData\CS3uauPjpd2J\MdqiMwKY.exe

Filesize
250KB

MD5
02919d49a9b5392ec6ab70a91dd991db

SHA1
66429983ee94fd48e95db1697876c1cd68844bfd

SHA256
649e5a80278f20b0e8803612f0a870b97be1befbcd41bbf48b3a593dde763959

SHA512
54f6727f49374c6a8c193af5b972a04b5d9257c3b7030f7f22a4c1498c001ab31bdbe8337fd63e50255e3d164d09ec1cb2f3a597093e8bfe2f5ab297902add45

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu2x7WbOKZrx.exe

Filesize
250KB

MD5
02919d49a9b5392ec6ab70a91dd991db

SHA1
66429983ee94fd48e95db1697876c1cd68844bfd

SHA256
649e5a80278f20b0e8803612f0a870b97be1befbcd41bbf48b3a593dde763959

SHA512
54f6727f49374c6a8c193af5b972a04b5d9257c3b7030f7f22a4c1498c001ab31bdbe8337fd63e50255e3d164d09ec1cb2f3a597093e8bfe2f5ab297902add45

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu2x7WbOKZrx.exe

Filesize
250KB

MD5
02919d49a9b5392ec6ab70a91dd991db

SHA1
66429983ee94fd48e95db1697876c1cd68844bfd

SHA256
649e5a80278f20b0e8803612f0a870b97be1befbcd41bbf48b3a593dde763959

SHA512
54f6727f49374c6a8c193af5b972a04b5d9257c3b7030f7f22a4c1498c001ab31bdbe8337fd63e50255e3d164d09ec1cb2f3a597093e8bfe2f5ab297902add45

Download Submit
memory/1172-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1172-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2164-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-143-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing