f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c

General

Target

f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
Size

411KB
MD5

33c23c97085e34639c49a23a6cfc8030
SHA1

795f68f75057304df322088f297780fa8093e7a2
SHA256

f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c
SHA512

9a54e90f161558866b8b1ff57d442d872e4de80ccc0ec85e5f04c029884f37e94e650878c731160da53db0b6d66f67bf8d6437f4a1816cdddab7d02bd0881cd5
SSDEEP

6144:9GK72eIRSCvvItQMwVWCtR8HYnOWGHokTCW:9pYRpHQQM+DOW0oE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3192	aUPsvC0vieYvy.exe
4868	aUPsvC0vieYvy.exe

Loads dropped DLL 4 IoCs

pid	Process
4812	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
4812	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
4868	aUPsvC0vieYvy.exe
4868	aUPsvC0vieYvy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zE57m4bkLyU = "C:\\ProgramData\\JQYqtWsNwO\\aUPsvC0vieYvy.exe"	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 3192 set thread context of 4868	3192	aUPsvC0vieYvy.exe	83
PID 4868 set thread context of 4936	4868	aUPsvC0vieYvy.exe	87

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 3092 wrote to memory of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 3092 wrote to memory of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 3092 wrote to memory of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 3092 wrote to memory of 4812	3092	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	81
PID 4812 wrote to memory of 3192	4812	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	82
PID 4812 wrote to memory of 3192	4812	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	82
PID 4812 wrote to memory of 3192	4812	f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe	82
PID 3192 wrote to memory of 4868	3192	aUPsvC0vieYvy.exe	83
PID 3192 wrote to memory of 4868	3192	aUPsvC0vieYvy.exe	83
PID 3192 wrote to memory of 4868	3192	aUPsvC0vieYvy.exe	83
PID 3192 wrote to memory of 4868	3192	aUPsvC0vieYvy.exe	83
PID 3192 wrote to memory of 4868	3192	aUPsvC0vieYvy.exe	83
PID 4868 wrote to memory of 4276	4868	aUPsvC0vieYvy.exe	85
PID 4868 wrote to memory of 4276	4868	aUPsvC0vieYvy.exe	85
PID 4868 wrote to memory of 4276	4868	aUPsvC0vieYvy.exe	85
PID 4868 wrote to memory of 5020	4868	aUPsvC0vieYvy.exe	86
PID 4868 wrote to memory of 5020	4868	aUPsvC0vieYvy.exe	86
PID 4868 wrote to memory of 5020	4868	aUPsvC0vieYvy.exe	86
PID 4868 wrote to memory of 4936	4868	aUPsvC0vieYvy.exe	87
PID 4868 wrote to memory of 4936	4868	aUPsvC0vieYvy.exe	87
PID 4868 wrote to memory of 4936	4868	aUPsvC0vieYvy.exe	87
PID 4868 wrote to memory of 4936	4868	aUPsvC0vieYvy.exe	87
PID 4868 wrote to memory of 4936	4868	aUPsvC0vieYvy.exe	87

C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
"C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe
  "C:\Users\Admin\AppData\Local\Temp\f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe
    "C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe
      "C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe" /i:4868
        5⤵
        
        PID:4276
    - - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe" /i:4868
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{9B826622-81DE-4C73-98AC-77A3FAEBE059}\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{9B826622-81DE-4C73-98AC-77A3FAEBE059}\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exe" /i:4868
        5⤵
        
        PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe

Filesize
411KB

MD5
33c23c97085e34639c49a23a6cfc8030

SHA1
795f68f75057304df322088f297780fa8093e7a2

SHA256
f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c

SHA512
9a54e90f161558866b8b1ff57d442d872e4de80ccc0ec85e5f04c029884f37e94e650878c731160da53db0b6d66f67bf8d6437f4a1816cdddab7d02bd0881cd5

Download Submit
C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe

Filesize
411KB

MD5
33c23c97085e34639c49a23a6cfc8030

SHA1
795f68f75057304df322088f297780fa8093e7a2

SHA256
f171b882c40e5a90709d3714e4cea91b8743944947fe9eb2440ddc54603b333c

SHA512
9a54e90f161558866b8b1ff57d442d872e4de80ccc0ec85e5f04c029884f37e94e650878c731160da53db0b6d66f67bf8d6437f4a1816cdddab7d02bd0881cd5

Download Submit
C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe

Filesize
411KB

MD5
031d3a723d2520c8c061cf50fa1a3ead

SHA1
b31e47a82a0e0b790316d184f91836d4a9627dba

SHA256
4d39493424ba8667049d50e7e4a36e74db1340d7b330921f6669680a2a7f613b

SHA512
a14be2729503d05d8c45b07327981677fb09e7d7be0254b59b605e9743d95ad73c2dcf93e29015412284905adec5998a403758963a73c47c9ba585808ae9c3e0

Download Submit
C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe

Filesize
411KB

MD5
031d3a723d2520c8c061cf50fa1a3ead

SHA1
b31e47a82a0e0b790316d184f91836d4a9627dba

SHA256
4d39493424ba8667049d50e7e4a36e74db1340d7b330921f6669680a2a7f613b

SHA512
a14be2729503d05d8c45b07327981677fb09e7d7be0254b59b605e9743d95ad73c2dcf93e29015412284905adec5998a403758963a73c47c9ba585808ae9c3e0

Download Submit
C:\ProgramData\JQYqtWsNwO\aUPsvC0vieYvy.exe

Filesize
411KB

MD5
031d3a723d2520c8c061cf50fa1a3ead

SHA1
b31e47a82a0e0b790316d184f91836d4a9627dba

SHA256
4d39493424ba8667049d50e7e4a36e74db1340d7b330921f6669680a2a7f613b

SHA512
a14be2729503d05d8c45b07327981677fb09e7d7be0254b59b605e9743d95ad73c2dcf93e29015412284905adec5998a403758963a73c47c9ba585808ae9c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7QW1hbz9.exe

Filesize
411KB

MD5
031d3a723d2520c8c061cf50fa1a3ead

SHA1
b31e47a82a0e0b790316d184f91836d4a9627dba

SHA256
4d39493424ba8667049d50e7e4a36e74db1340d7b330921f6669680a2a7f613b

SHA512
a14be2729503d05d8c45b07327981677fb09e7d7be0254b59b605e9743d95ad73c2dcf93e29015412284905adec5998a403758963a73c47c9ba585808ae9c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7QW1hbz9.exe

Filesize
411KB

MD5
031d3a723d2520c8c061cf50fa1a3ead

SHA1
b31e47a82a0e0b790316d184f91836d4a9627dba

SHA256
4d39493424ba8667049d50e7e4a36e74db1340d7b330921f6669680a2a7f613b

SHA512
a14be2729503d05d8c45b07327981677fb09e7d7be0254b59b605e9743d95ad73c2dcf93e29015412284905adec5998a403758963a73c47c9ba585808ae9c3e0

Download Submit
memory/4812-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4812-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4812-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4812-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4812-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4868-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4868-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4936-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4936-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing