f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c

General

Target

f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
Size

411KB
MD5

33c23c97085e34639c49a23a6cfc8030
SHA1

795f68f75057304df322088f297780fa8093e7a2
SHA256

f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c
SHA512

9a54e90f161558866b8b1ff57d442d872e4de80ccc0ec85e5f04c029884f37e94e650878c731160da53db0b6d66f67bf8d6437f4a1816cdddab7d02bd0881cd5
SSDEEP

6144:9GK72eIRSCvvItQMwVWCtR8HYnOWGHokTCW:9pYRpHQQM+DOW0oE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	5N6wZHdPL37nL.exe
1636	5N6wZHdPL37nL.exe

Deletes itself 1 IoCs

pid	Process
1636	5N6wZHdPL37nL.exe

Loads dropped DLL 4 IoCs

pid	Process
1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
1636	5N6wZHdPL37nL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ytetVmaSUTzu4T = "C:\\ProgramData\\9ogDDz0Xi\\5N6wZHdPL37nL.exe"	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1176 set thread context of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1636 set thread context of 556	1636	5N6wZHdPL37nL.exe	30

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1104 wrote to memory of 1744	1104	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	27
PID 1744 wrote to memory of 1176	1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	28
PID 1744 wrote to memory of 1176	1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	28
PID 1744 wrote to memory of 1176	1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	28
PID 1744 wrote to memory of 1176	1744	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	28
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1176 wrote to memory of 1636	1176	5N6wZHdPL37nL.exe	29
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30
PID 1636 wrote to memory of 556	1636	5N6wZHdPL37nL.exe	30

C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
"C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
  "C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe
    "C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe
      "C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe" /i:1636
        5⤵
        
        PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
C:\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
\ProgramData\9ogDDz0Xi\5N6wZHdPL37nL.exe

Filesize
411KB

MD5
33c23c97085e34639c49a23a6cfc8030

SHA1
795f68f75057304df322088f297780fa8093e7a2

SHA256
f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c

SHA512
9a54e90f161558866b8b1ff57d442d872e4de80ccc0ec85e5f04c029884f37e94e650878c731160da53db0b6d66f67bf8d6437f4a1816cdddab7d02bd0881cd5

Download Submit
\Users\Admin\AppData\Local\Temp\HE6FL59R9.exe

Filesize
411KB

MD5
135d146ea0c1f8a1992d3be1cccda800

SHA1
5f3b1554768b8e3866219b26fbb56181403f3991

SHA256
47d8412612a04ae5f8ad4e9cc5e23f3df05f68bf5152adb40c9d795eebb678d7

SHA512
ab3d521a57d1f462cbaa3161420cc5441afff4240a712b7b51a6705532fbd43ea51024f9f72b113091e9228fe4d8af695f6be933a5d1d15ec47ebf28beb0bdc3

Download Submit
memory/556-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/556-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1636-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1636-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing