dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1

General

Target

dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
Size

356KB
MD5

e56baec68e027edbac26fb416cb689b9
SHA1

b0ed3181ee576a09bb88a7a09488c9e6a6df23b3
SHA256

dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1
SHA512

0b82655b88514588cfd3a954bf8f56507b8424542046393ce8dfbea43543c69fc32f51ed9fd8d4444e8874f1a2b84e561a96c9f7354d5505cac267b27ec87e94
SSDEEP

6144:7vbx8/1oSuPsd2sugyixrv9IrLF31/Q5TSujRFJmu:7XUd5u1IIrydFJm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1092	kVyQFJwHG3f.exe
1980	kVyQFJwHG3f.exe

Deletes itself 1 IoCs

pid	Process
1980	kVyQFJwHG3f.exe

Loads dropped DLL 4 IoCs

pid	Process
1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
1980	kVyQFJwHG3f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\4eZF69tB4 = "C:\\ProgramData\\10SIYM4L\\kVyQFJwHG3f.exe"	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1092 set thread context of 1980	1092	kVyQFJwHG3f.exe	29
PID 1980 set thread context of 1984	1980	kVyQFJwHG3f.exe	31

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1060 wrote to memory of 1028	1060	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	27
PID 1028 wrote to memory of 1092	1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	28
PID 1028 wrote to memory of 1092	1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	28
PID 1028 wrote to memory of 1092	1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	28
PID 1028 wrote to memory of 1092	1028	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	28
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1092 wrote to memory of 1980	1092	kVyQFJwHG3f.exe	29
PID 1980 wrote to memory of 1988	1980	kVyQFJwHG3f.exe	30
PID 1980 wrote to memory of 1988	1980	kVyQFJwHG3f.exe	30
PID 1980 wrote to memory of 1988	1980	kVyQFJwHG3f.exe	30
PID 1980 wrote to memory of 1988	1980	kVyQFJwHG3f.exe	30
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31
PID 1980 wrote to memory of 1984	1980	kVyQFJwHG3f.exe	31

C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
"C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
  "C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe
    "C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe
      "C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe" /i:1980
        5⤵
        
        PID:1988
    - - C:\Program Files (x86)\Windows Mail\wabmig.exe
        
        "C:\Program Files (x86)\Windows Mail\wabmig.exe" /i:1980
        5⤵
        
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
C:\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
\ProgramData\10SIYM4L\kVyQFJwHG3f.exe

Filesize
356KB

MD5
e56baec68e027edbac26fb416cb689b9

SHA1
b0ed3181ee576a09bb88a7a09488c9e6a6df23b3

SHA256
dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1

SHA512
0b82655b88514588cfd3a954bf8f56507b8424542046393ce8dfbea43543c69fc32f51ed9fd8d4444e8874f1a2b84e561a96c9f7354d5505cac267b27ec87e94

Download Submit
\Users\Admin\AppData\Local\Temp\60b7AkLCrvg.exe

Filesize
356KB

MD5
8f30b96a9ff5619a67f2725291d528f8

SHA1
dc60a0877b44b0fac3524fab0b96d3bc4870be2d

SHA256
52f7dbefef9da7c677507539b89578828d966ff599af3ae9d5cbbf89bcc2212f

SHA512
ed5ce53abdf20c717df79a57ad9792c25b259576ebbc98b92c7ce40998f893bad9a8adfd1df78b74676476d3482277b198e67e44288491b8ffce312a3fdcaf4c

Download Submit
memory/1028-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1028-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1028-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1028-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1028-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1028-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1980-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1980-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1984-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing