cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e

General

Target

cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
Size

411KB
MD5

08676b95280cafe13195a945df006200
SHA1

5bfc816f813eeeb3f1416042b354f4ce7450ee9a
SHA256

cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e
SHA512

8b6e659b79518a06d0f26a2c91d2487790c5a193a7681324e8f0236d89dc857addab9b21c6b4ba89307390fb46da53340226d9d8c2a590c598a2471d7f2f1ca1
SSDEEP

6144:9GK72sKYVexS/b2biJi4SuQyIoDb15pzyLDKtg:9pAnS/b2GJi4qoLNyL2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5040	yDUXLYIeEG.exe
5004	yDUXLYIeEG.exe

Loads dropped DLL 4 IoCs

pid	Process
4912	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
4912	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
5004	yDUXLYIeEG.exe
5004	yDUXLYIeEG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w0OSgGJMKh3QHk = "C:\\ProgramData\\cfZOP2mxv48MuT\\yDUXLYIeEG.exe"	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 5040 set thread context of 5004	5040	yDUXLYIeEG.exe	80
PID 5004 set thread context of 1392	5004	yDUXLYIeEG.exe	86

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 4364 wrote to memory of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 4364 wrote to memory of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 4364 wrote to memory of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 4364 wrote to memory of 4912	4364	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	78
PID 4912 wrote to memory of 5040	4912	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	79
PID 4912 wrote to memory of 5040	4912	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	79
PID 4912 wrote to memory of 5040	4912	cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe	79
PID 5040 wrote to memory of 5004	5040	yDUXLYIeEG.exe	80
PID 5040 wrote to memory of 5004	5040	yDUXLYIeEG.exe	80
PID 5040 wrote to memory of 5004	5040	yDUXLYIeEG.exe	80
PID 5040 wrote to memory of 5004	5040	yDUXLYIeEG.exe	80
PID 5040 wrote to memory of 5004	5040	yDUXLYIeEG.exe	80
PID 5004 wrote to memory of 3696	5004	yDUXLYIeEG.exe	83
PID 5004 wrote to memory of 3696	5004	yDUXLYIeEG.exe	83
PID 5004 wrote to memory of 3696	5004	yDUXLYIeEG.exe	83
PID 5004 wrote to memory of 1392	5004	yDUXLYIeEG.exe	86
PID 5004 wrote to memory of 1392	5004	yDUXLYIeEG.exe	86
PID 5004 wrote to memory of 1392	5004	yDUXLYIeEG.exe	86
PID 5004 wrote to memory of 1392	5004	yDUXLYIeEG.exe	86
PID 5004 wrote to memory of 1392	5004	yDUXLYIeEG.exe	86

C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
"C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe
  "C:\Users\Admin\AppData\Local\Temp\cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe
    "C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe
      "C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe" /i:5004
        5⤵
        
        PID:3696
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.165.21\MicrosoftEdgeUpdateSetup.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.165.21\MicrosoftEdgeUpdateSetup.exe" /i:5004
        5⤵
        
        PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe

Filesize
411KB

MD5
08676b95280cafe13195a945df006200

SHA1
5bfc816f813eeeb3f1416042b354f4ce7450ee9a

SHA256
cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e

SHA512
8b6e659b79518a06d0f26a2c91d2487790c5a193a7681324e8f0236d89dc857addab9b21c6b4ba89307390fb46da53340226d9d8c2a590c598a2471d7f2f1ca1

Download Submit
C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe

Filesize
411KB

MD5
08676b95280cafe13195a945df006200

SHA1
5bfc816f813eeeb3f1416042b354f4ce7450ee9a

SHA256
cc94cfdd942b4641a7b4da06bd0132458f10405faa38254a8632e443f9cd665e

SHA512
8b6e659b79518a06d0f26a2c91d2487790c5a193a7681324e8f0236d89dc857addab9b21c6b4ba89307390fb46da53340226d9d8c2a590c598a2471d7f2f1ca1

Download Submit
C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe

Filesize
411KB

MD5
b62631777ae5a54a748d1146a5ca9562

SHA1
3aee81223390045061780efdee15170b7263406d

SHA256
56b636bf2478dc4f9a57c0e455748d5c5cd30d5ddfaf5f7de3ad48ec6a5cd9b6

SHA512
0daa41576d8dbb328d5bf43405bb408f10e4c9955a23de1274903e1fe7f93e9e989d39e2922c72566ab05b8c7adbbeace4f2ae3dbf9ce69d534761e3b9b61899

Download Submit
C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe

Filesize
411KB

MD5
b62631777ae5a54a748d1146a5ca9562

SHA1
3aee81223390045061780efdee15170b7263406d

SHA256
56b636bf2478dc4f9a57c0e455748d5c5cd30d5ddfaf5f7de3ad48ec6a5cd9b6

SHA512
0daa41576d8dbb328d5bf43405bb408f10e4c9955a23de1274903e1fe7f93e9e989d39e2922c72566ab05b8c7adbbeace4f2ae3dbf9ce69d534761e3b9b61899

Download Submit
C:\ProgramData\cfZOP2mxv48MuT\yDUXLYIeEG.exe

Filesize
411KB

MD5
b62631777ae5a54a748d1146a5ca9562

SHA1
3aee81223390045061780efdee15170b7263406d

SHA256
56b636bf2478dc4f9a57c0e455748d5c5cd30d5ddfaf5f7de3ad48ec6a5cd9b6

SHA512
0daa41576d8dbb328d5bf43405bb408f10e4c9955a23de1274903e1fe7f93e9e989d39e2922c72566ab05b8c7adbbeace4f2ae3dbf9ce69d534761e3b9b61899

Download Submit
C:\Users\Admin\AppData\Local\Temp\7jTVBYeWec.exe

Filesize
411KB

MD5
b62631777ae5a54a748d1146a5ca9562

SHA1
3aee81223390045061780efdee15170b7263406d

SHA256
56b636bf2478dc4f9a57c0e455748d5c5cd30d5ddfaf5f7de3ad48ec6a5cd9b6

SHA512
0daa41576d8dbb328d5bf43405bb408f10e4c9955a23de1274903e1fe7f93e9e989d39e2922c72566ab05b8c7adbbeace4f2ae3dbf9ce69d534761e3b9b61899

Download Submit
C:\Users\Admin\AppData\Local\Temp\7jTVBYeWec.exe

Filesize
411KB

MD5
b62631777ae5a54a748d1146a5ca9562

SHA1
3aee81223390045061780efdee15170b7263406d

SHA256
56b636bf2478dc4f9a57c0e455748d5c5cd30d5ddfaf5f7de3ad48ec6a5cd9b6

SHA512
0daa41576d8dbb328d5bf43405bb408f10e4c9955a23de1274903e1fe7f93e9e989d39e2922c72566ab05b8c7adbbeace4f2ae3dbf9ce69d534761e3b9b61899

Download Submit
memory/1392-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1392-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-142-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5004-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5004-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5004-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing