cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e

General

Target

cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
Size

411KB
MD5

08676b95280cafe13195a945df006200
SHA1

5bfc816f813eeeb3f1416042b354f4ce7450ee9a
SHA256

cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e
SHA512

8b6e659b79518a06d0f26a2c91d2487790c5a193a7681324e8f0236d89dc857addab9b21c6b4ba89307390fb46da53340226d9d8c2a590c598a2471d7f2f1ca1
SSDEEP

6144:9GK72sKYVexS/b2biJi4SuQyIoDb15pzyLDKtg:9pAnS/b2GJi4qoLNyL2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1352	pYf7L7GLG.exe
280	pYf7L7GLG.exe

Deletes itself 1 IoCs

pid	Process
280	pYf7L7GLG.exe

Loads dropped DLL 4 IoCs

pid	Process
1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
280	pYf7L7GLG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2q3L1hpMu = "C:\\ProgramData\\p143da22\\pYf7L7GLG.exe"	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1352 set thread context of 280	1352	pYf7L7GLG.exe	28
PID 280 set thread context of 700	280	pYf7L7GLG.exe	29

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1544 wrote to memory of 1584	1544	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	26
PID 1584 wrote to memory of 1352	1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	27
PID 1584 wrote to memory of 1352	1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	27
PID 1584 wrote to memory of 1352	1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	27
PID 1584 wrote to memory of 1352	1584	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	27
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 1352 wrote to memory of 280	1352	pYf7L7GLG.exe	28
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29
PID 280 wrote to memory of 700	280	pYf7L7GLG.exe	29

C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
"C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
  "C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\ProgramData\p143da22\pYf7L7GLG.exe
    "C:\ProgramData\p143da22\pYf7L7GLG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\ProgramData\p143da22\pYf7L7GLG.exe
      "C:\ProgramData\p143da22\pYf7L7GLG.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Program Files (x86)\Internet Explorer\ExtExport.exe
        
        "C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:280
        5⤵
        
        PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
C:\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
C:\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
\ProgramData\p143da22\pYf7L7GLG.exe

Filesize
411KB

MD5
08676b95280cafe13195a945df006200

SHA1
5bfc816f813eeeb3f1416042b354f4ce7450ee9a

SHA256
cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e

SHA512
8b6e659b79518a06d0f26a2c91d2487790c5a193a7681324e8f0236d89dc857addab9b21c6b4ba89307390fb46da53340226d9d8c2a590c598a2471d7f2f1ca1

Download Submit
\Users\Admin\AppData\Local\Temp\QAlEXA3sKyqkj7KR.exe

Filesize
411KB

MD5
97e576e71564e385445cf5c7677a7e61

SHA1
f9c2ca54af5a5df469fcf1b6dafa307ec049120d

SHA256
7ed631d4c9463b2e2d264dad10a53c8978e8fea0096b97727cc27ed66acdd65c

SHA512
bf7de282d76a2a4646ac4cbf3ba899c73f1d1d96a42513830a2c437ab8977828b0204c28c4161c25a9c61686be16f04792fe679f3004f818447c3e1de55261cf

Download Submit
memory/280-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/280-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/700-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/700-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1584-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing