a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0

Analysis

max time kernel
62s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
Size

395KB
MD5

c7a123cf40d5b9d79dada4c8e4203f4a
SHA1

1e2a5b41f1f8dbe53c0106ec5014cdf4bfd03975
SHA256

a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0
SHA512

00005415246b5a87cdf1f81a8da73793fd3dcc119f879757ad94d44657928a0db10a4b2c9f8d65a7a592d554757e4e800d87d288d1a9c8aa93a45d4a05404b68
SSDEEP

6144:93Pv37J3F/D2yTKQkkBWDG/J4hiV5KNL6d5PC78xjXv5Tiq:937VZmQqAPD0sjf5Tiq

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2032	dm157FNfbKfF.exe
956	dm157FNfbKfF.exe
668	dm157FNfbKfF.exe

Deletes itself 1 IoCs

pid	Process
668	dm157FNfbKfF.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
668	dm157FNfbKfF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWryc6xqUQBQ2D = "C:\\ProgramData\\e8XOnUW9Fq23\\dm157FNfbKfF.exe"	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1676 set thread context of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 2032 set thread context of 956	2032	dm157FNfbKfF.exe	31
PID 956 set thread context of 668	956	dm157FNfbKfF.exe	32
PID 668 set thread context of 1104	668	dm157FNfbKfF.exe	33
PID 1104 set thread context of 1764	1104	TabTip32.exe	34

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1672 wrote to memory of 1676	1672	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	28
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1676 wrote to memory of 1964	1676	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	29
PID 1964 wrote to memory of 2032	1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	30
PID 1964 wrote to memory of 2032	1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	30
PID 1964 wrote to memory of 2032	1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	30
PID 1964 wrote to memory of 2032	1964	a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe	30
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 2032 wrote to memory of 956	2032	dm157FNfbKfF.exe	31
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 956 wrote to memory of 668	956	dm157FNfbKfF.exe	32
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 668 wrote to memory of 1104	668	dm157FNfbKfF.exe	33
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34
PID 1104 wrote to memory of 1764	1104	TabTip32.exe	34

C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
"C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
  "C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe
    "C:\Users\Admin\AppData\Local\Temp\a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe
      "C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe
        
        "C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe
        
        "C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe"
        6⤵
        Executes dropped EXE
        Deletes itself
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe" /i:668
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe" /i:668
        8⤵
        
        PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
C:\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
\ProgramData\e8XOnUW9Fq23\dm157FNfbKfF.exe

Filesize
395KB

MD5
c7a123cf40d5b9d79dada4c8e4203f4a

SHA1
1e2a5b41f1f8dbe53c0106ec5014cdf4bfd03975

SHA256
a4c536071ccb6541f5a96553eaf21f972aec5a2870962f65ef62586c36bb17c0

SHA512
00005415246b5a87cdf1f81a8da73793fd3dcc119f879757ad94d44657928a0db10a4b2c9f8d65a7a592d554757e4e800d87d288d1a9c8aa93a45d4a05404b68

Download Submit
\Users\Admin\AppData\Local\Temp\ADTuPx0CjZlNjP1A.exe

Filesize
395KB

MD5
5d1ad0c1f34ee369c5a5a51db3711f88

SHA1
108e5d82adbebad7aac5e0024ca9bcf362d3ab2e

SHA256
683e1239cdf59d12ebbace6d7e03f526126a70c94bd708d57055827b4aa46304

SHA512
cf112406afdd2929684ea766226253c5a61ef7a73b90e26b9f34fe37b67aa18cc8c033129d91b0bbc1de78b7ab828694e7befea3152737b74551c5f9350084db

Download Submit
memory/668-106-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-92-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/668-91-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/956-88-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1104-103-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1676-56-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1676-58-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1676-59-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1676-65-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1676-54-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/1764-108-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1764-107-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-72-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-68-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1964-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download