de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb

General

Target

de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
Size

411KB
MD5

daa1ca3db84279c6104551ded4035c48
SHA1

fdeea70a779146e9a648a87528e5e3d344ebc0db
SHA256

de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb
SHA512

67801d0e933adebf0ecf49ddf75e02123477a68954fa0873ea0da57cc99721fe3f89b818e8b6d6a3fc9e92c96be5f96ebdadd0777c8d5469e746ddcf336dee01
SSDEEP

6144:9GK723lL97i0rkf+ElKaCa+Ni2rqES8VITfR:9pOL9DLAKXaJjTJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1104	kjsGIqqp.exe
4620	kjsGIqqp.exe

Loads dropped DLL 4 IoCs

pid	Process
2016	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
2016	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
4620	kjsGIqqp.exe
4620	kjsGIqqp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avQPb4GdTS = "C:\\ProgramData\\IWsdug5s89c4iX\\kjsGIqqp.exe"	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4212 set thread context of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 1104 set thread context of 4620	1104	kjsGIqqp.exe	82
PID 4620 set thread context of 440	4620	kjsGIqqp.exe	83

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 4212 wrote to memory of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 4212 wrote to memory of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 4212 wrote to memory of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 4212 wrote to memory of 2016	4212	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	80
PID 2016 wrote to memory of 1104	2016	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	81
PID 2016 wrote to memory of 1104	2016	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	81
PID 2016 wrote to memory of 1104	2016	de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe	81
PID 1104 wrote to memory of 4620	1104	kjsGIqqp.exe	82
PID 1104 wrote to memory of 4620	1104	kjsGIqqp.exe	82
PID 1104 wrote to memory of 4620	1104	kjsGIqqp.exe	82
PID 1104 wrote to memory of 4620	1104	kjsGIqqp.exe	82
PID 1104 wrote to memory of 4620	1104	kjsGIqqp.exe	82
PID 4620 wrote to memory of 440	4620	kjsGIqqp.exe	83
PID 4620 wrote to memory of 440	4620	kjsGIqqp.exe	83
PID 4620 wrote to memory of 440	4620	kjsGIqqp.exe	83
PID 4620 wrote to memory of 440	4620	kjsGIqqp.exe	83
PID 4620 wrote to memory of 440	4620	kjsGIqqp.exe	83

C:\Users\Admin\AppData\Local\Temp\de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
"C:\Users\Admin\AppData\Local\Temp\de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Users\Admin\AppData\Local\Temp\de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe
  "C:\Users\Admin\AppData\Local\Temp\de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe
    "C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe
      "C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe" /i:4620
        5⤵
        
        PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe

Filesize
411KB

MD5
daa1ca3db84279c6104551ded4035c48

SHA1
fdeea70a779146e9a648a87528e5e3d344ebc0db

SHA256
de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb

SHA512
67801d0e933adebf0ecf49ddf75e02123477a68954fa0873ea0da57cc99721fe3f89b818e8b6d6a3fc9e92c96be5f96ebdadd0777c8d5469e746ddcf336dee01

Download Submit
C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe

Filesize
411KB

MD5
daa1ca3db84279c6104551ded4035c48

SHA1
fdeea70a779146e9a648a87528e5e3d344ebc0db

SHA256
de4e90bac01ef55f6ea890c75bb6cfdb5a03320e3937993dc5fd4f236cf834eb

SHA512
67801d0e933adebf0ecf49ddf75e02123477a68954fa0873ea0da57cc99721fe3f89b818e8b6d6a3fc9e92c96be5f96ebdadd0777c8d5469e746ddcf336dee01

Download Submit
C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe

Filesize
411KB

MD5
d79a60655547147883a54b4fa235e208

SHA1
67004fc967670f5dbd99297c0fb270d7fb89fbbc

SHA256
783f09963533abbbe0b006cde74b7ed2445e263ede9485d4056f8cb1b848119f

SHA512
0a0ab485f8addbc7453aa696a29a9d0b2a85aabfb650460b5a5f9f8afb21d0694ba2ff884d4645a4510f72ac1559114337102c5511e8642cfcd20f3ba35950c8

Download Submit
C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe

Filesize
411KB

MD5
d79a60655547147883a54b4fa235e208

SHA1
67004fc967670f5dbd99297c0fb270d7fb89fbbc

SHA256
783f09963533abbbe0b006cde74b7ed2445e263ede9485d4056f8cb1b848119f

SHA512
0a0ab485f8addbc7453aa696a29a9d0b2a85aabfb650460b5a5f9f8afb21d0694ba2ff884d4645a4510f72ac1559114337102c5511e8642cfcd20f3ba35950c8

Download Submit
C:\ProgramData\IWsdug5s89c4iX\kjsGIqqp.exe

Filesize
411KB

MD5
d79a60655547147883a54b4fa235e208

SHA1
67004fc967670f5dbd99297c0fb270d7fb89fbbc

SHA256
783f09963533abbbe0b006cde74b7ed2445e263ede9485d4056f8cb1b848119f

SHA512
0a0ab485f8addbc7453aa696a29a9d0b2a85aabfb650460b5a5f9f8afb21d0694ba2ff884d4645a4510f72ac1559114337102c5511e8642cfcd20f3ba35950c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrTr7SHcv6L.exe

Filesize
411KB

MD5
d79a60655547147883a54b4fa235e208

SHA1
67004fc967670f5dbd99297c0fb270d7fb89fbbc

SHA256
783f09963533abbbe0b006cde74b7ed2445e263ede9485d4056f8cb1b848119f

SHA512
0a0ab485f8addbc7453aa696a29a9d0b2a85aabfb650460b5a5f9f8afb21d0694ba2ff884d4645a4510f72ac1559114337102c5511e8642cfcd20f3ba35950c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrTr7SHcv6L.exe

Filesize
411KB

MD5
d79a60655547147883a54b4fa235e208

SHA1
67004fc967670f5dbd99297c0fb270d7fb89fbbc

SHA256
783f09963533abbbe0b006cde74b7ed2445e263ede9485d4056f8cb1b848119f

SHA512
0a0ab485f8addbc7453aa696a29a9d0b2a85aabfb650460b5a5f9f8afb21d0694ba2ff884d4645a4510f72ac1559114337102c5511e8642cfcd20f3ba35950c8

Download Submit
memory/440-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4620-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4620-155-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing