cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99

General

Target

cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
Size

501KB
MD5

70ba395b631e31f278ab7baf879e6218
SHA1

437d00c3e5cb573c416fdee88bb058c177f80736
SHA256

cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99
SHA512

e60d6cce55daf9ad1760ac5322669e17f93f13c6c6adc0b25c77e4f4aaa0d5a63368e3b9d004cfbbe0687396e2367b2f75993aea9841fcd4a31d664be2ff2c12
SSDEEP

6144:pdNszUtPwxMqhqTpMjSFDWG1rOaCNDGLQvoEnv3U2Y72mxK4advrzHpKBD:p6VmdMGV2lHY72MK7dXkBD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2020	FPMBtLrNpaha.exe
1164	FPMBtLrNpaha.exe

Deletes itself 1 IoCs

pid	Process
1164	FPMBtLrNpaha.exe

Loads dropped DLL 4 IoCs

pid	Process
1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
1164	FPMBtLrNpaha.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFffX5Y9LcFj = "C:\\ProgramData\\deDQNLJ5u\\FPMBtLrNpaha.exe"	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 112 set thread context of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 2020 set thread context of 1164	2020	FPMBtLrNpaha.exe	30
PID 1164 set thread context of 1380	1164	FPMBtLrNpaha.exe	31

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 112 wrote to memory of 1128	112	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	28
PID 1128 wrote to memory of 2020	1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	29
PID 1128 wrote to memory of 2020	1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	29
PID 1128 wrote to memory of 2020	1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	29
PID 1128 wrote to memory of 2020	1128	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	29
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 2020 wrote to memory of 1164	2020	FPMBtLrNpaha.exe	30
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31
PID 1164 wrote to memory of 1380	1164	FPMBtLrNpaha.exe	31

C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
"C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
  "C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe
    "C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe
      "C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe" /i:1164
        5⤵
        
        PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
C:\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
\ProgramData\deDQNLJ5u\FPMBtLrNpaha.exe

Filesize
501KB

MD5
70ba395b631e31f278ab7baf879e6218

SHA1
437d00c3e5cb573c416fdee88bb058c177f80736

SHA256
cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99

SHA512
e60d6cce55daf9ad1760ac5322669e17f93f13c6c6adc0b25c77e4f4aaa0d5a63368e3b9d004cfbbe0687396e2367b2f75993aea9841fcd4a31d664be2ff2c12

Download Submit
\Users\Admin\AppData\Local\Temp\xXaXfWaWdL.exe

Filesize
501KB

MD5
ef0c606673cfc48e079e6977eec9b640

SHA1
fa79b89a26bf8cf8bc79f058560f0b8036b09f55

SHA256
19367629fa80ca215aceee5f33703007fda10e16ed8f18974a72f0d8c78b649e

SHA512
cab2e7df5245a506e4f3a57a5c66c78fe83074e788db7275200d75339216a9ef4a641ba86cccdc9852eefafee4d63e929f012b075a3f045053d3284f8c469bc0

Download Submit
memory/1128-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1164-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1164-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1380-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1380-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing