dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1

General

Target

dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
Size

356KB
MD5

e56baec68e027edbac26fb416cb689b9
SHA1

b0ed3181ee576a09bb88a7a09488c9e6a6df23b3
SHA256

dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1
SHA512

0b82655b88514588cfd3a954bf8f56507b8424542046393ce8dfbea43543c69fc32f51ed9fd8d4444e8874f1a2b84e561a96c9f7354d5505cac267b27ec87e94
SSDEEP

6144:7vbx8/1oSuPsd2sugyixrv9IrLF31/Q5TSujRFJmu:7XUd5u1IIrydFJm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2888	BsTxji2R3unGb.exe
3424	BsTxji2R3unGb.exe

Loads dropped DLL 4 IoCs

pid	Process
5084	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
5084	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
3424	BsTxji2R3unGb.exe
3424	BsTxji2R3unGb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ifndVu4PezYChGT = "C:\\ProgramData\\QsqctJJXUMS\\BsTxji2R3unGb.exe"	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 2888 set thread context of 3424	2888	BsTxji2R3unGb.exe	81
PID 3424 set thread context of 4124	3424	BsTxji2R3unGb.exe	83

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 1760 wrote to memory of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 1760 wrote to memory of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 1760 wrote to memory of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 1760 wrote to memory of 5084	1760	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	79
PID 5084 wrote to memory of 2888	5084	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	80
PID 5084 wrote to memory of 2888	5084	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	80
PID 5084 wrote to memory of 2888	5084	dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe	80
PID 2888 wrote to memory of 3424	2888	BsTxji2R3unGb.exe	81
PID 2888 wrote to memory of 3424	2888	BsTxji2R3unGb.exe	81
PID 2888 wrote to memory of 3424	2888	BsTxji2R3unGb.exe	81
PID 2888 wrote to memory of 3424	2888	BsTxji2R3unGb.exe	81
PID 2888 wrote to memory of 3424	2888	BsTxji2R3unGb.exe	81
PID 3424 wrote to memory of 4124	3424	BsTxji2R3unGb.exe	83
PID 3424 wrote to memory of 4124	3424	BsTxji2R3unGb.exe	83
PID 3424 wrote to memory of 4124	3424	BsTxji2R3unGb.exe	83
PID 3424 wrote to memory of 4124	3424	BsTxji2R3unGb.exe	83
PID 3424 wrote to memory of 4124	3424	BsTxji2R3unGb.exe	83

C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
"C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe
  "C:\Users\Admin\AppData\Local\Temp\dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe
    "C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe
      "C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Program Files (x86)\Windows Media Player\wmlaunch.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmlaunch.exe" /i:3424
        5⤵
        
        PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe

Filesize
356KB

MD5
e56baec68e027edbac26fb416cb689b9

SHA1
b0ed3181ee576a09bb88a7a09488c9e6a6df23b3

SHA256
dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1

SHA512
0b82655b88514588cfd3a954bf8f56507b8424542046393ce8dfbea43543c69fc32f51ed9fd8d4444e8874f1a2b84e561a96c9f7354d5505cac267b27ec87e94

Download Submit
C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe

Filesize
356KB

MD5
e56baec68e027edbac26fb416cb689b9

SHA1
b0ed3181ee576a09bb88a7a09488c9e6a6df23b3

SHA256
dd67102ca4e290bb8d2410ba21d06d4809df1eca339f131ad7bcfbab688d2db1

SHA512
0b82655b88514588cfd3a954bf8f56507b8424542046393ce8dfbea43543c69fc32f51ed9fd8d4444e8874f1a2b84e561a96c9f7354d5505cac267b27ec87e94

Download Submit
C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe

Filesize
356KB

MD5
d7b0bd495b5d1f000f7b30aa56770da7

SHA1
eb2096f837e683065c48604e2aa4af194fe6ad30

SHA256
2faab731461021292059a083de72f749502361a3d630790604522a69274e1380

SHA512
349165ed126406e014256e5f0559652bbfed3839d6820e8b4cb2b3762ef28ec0c869281cec834e2f0f688fe74a73e4d2e87a785734df0faaaeb7ac8b800897cc

Download Submit
C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe

Filesize
356KB

MD5
d7b0bd495b5d1f000f7b30aa56770da7

SHA1
eb2096f837e683065c48604e2aa4af194fe6ad30

SHA256
2faab731461021292059a083de72f749502361a3d630790604522a69274e1380

SHA512
349165ed126406e014256e5f0559652bbfed3839d6820e8b4cb2b3762ef28ec0c869281cec834e2f0f688fe74a73e4d2e87a785734df0faaaeb7ac8b800897cc

Download Submit
C:\ProgramData\QsqctJJXUMS\BsTxji2R3unGb.exe

Filesize
356KB

MD5
d7b0bd495b5d1f000f7b30aa56770da7

SHA1
eb2096f837e683065c48604e2aa4af194fe6ad30

SHA256
2faab731461021292059a083de72f749502361a3d630790604522a69274e1380

SHA512
349165ed126406e014256e5f0559652bbfed3839d6820e8b4cb2b3762ef28ec0c869281cec834e2f0f688fe74a73e4d2e87a785734df0faaaeb7ac8b800897cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uR5YDptvce.exe

Filesize
356KB

MD5
d7b0bd495b5d1f000f7b30aa56770da7

SHA1
eb2096f837e683065c48604e2aa4af194fe6ad30

SHA256
2faab731461021292059a083de72f749502361a3d630790604522a69274e1380

SHA512
349165ed126406e014256e5f0559652bbfed3839d6820e8b4cb2b3762ef28ec0c869281cec834e2f0f688fe74a73e4d2e87a785734df0faaaeb7ac8b800897cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uR5YDptvce.exe

Filesize
356KB

MD5
d7b0bd495b5d1f000f7b30aa56770da7

SHA1
eb2096f837e683065c48604e2aa4af194fe6ad30

SHA256
2faab731461021292059a083de72f749502361a3d630790604522a69274e1380

SHA512
349165ed126406e014256e5f0559652bbfed3839d6820e8b4cb2b3762ef28ec0c869281cec834e2f0f688fe74a73e4d2e87a785734df0faaaeb7ac8b800897cc

Download Submit
memory/3424-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3424-155-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5084-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5084-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5084-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5084-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5084-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing