cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99

General

Target

cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
Size

501KB
MD5

70ba395b631e31f278ab7baf879e6218
SHA1

437d00c3e5cb573c416fdee88bb058c177f80736
SHA256

cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99
SHA512

e60d6cce55daf9ad1760ac5322669e17f93f13c6c6adc0b25c77e4f4aaa0d5a63368e3b9d004cfbbe0687396e2367b2f75993aea9841fcd4a31d664be2ff2c12
SSDEEP

6144:pdNszUtPwxMqhqTpMjSFDWG1rOaCNDGLQvoEnv3U2Y72mxK4advrzHpKBD:p6VmdMGV2lHY72MK7dXkBD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3772	kYxQJPXft.exe
4516	kYxQJPXft.exe

Loads dropped DLL 4 IoCs

pid	Process
3876	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
3876	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
4516	kYxQJPXft.exe
4516	kYxQJPXft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Asva29yz = "C:\\ProgramData\\F1NPlIdTMkW9m\\kYxQJPXft.exe"	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 3772 set thread context of 4516	3772	kYxQJPXft.exe	87
PID 4516 set thread context of 3500	4516	kYxQJPXft.exe	95

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 400 wrote to memory of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 400 wrote to memory of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 400 wrote to memory of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 400 wrote to memory of 3876	400	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	83
PID 3876 wrote to memory of 3772	3876	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	84
PID 3876 wrote to memory of 3772	3876	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	84
PID 3876 wrote to memory of 3772	3876	cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe	84
PID 3772 wrote to memory of 4516	3772	kYxQJPXft.exe	87
PID 3772 wrote to memory of 4516	3772	kYxQJPXft.exe	87
PID 3772 wrote to memory of 4516	3772	kYxQJPXft.exe	87
PID 3772 wrote to memory of 4516	3772	kYxQJPXft.exe	87
PID 3772 wrote to memory of 4516	3772	kYxQJPXft.exe	87
PID 4516 wrote to memory of 900	4516	kYxQJPXft.exe	90
PID 4516 wrote to memory of 900	4516	kYxQJPXft.exe	90
PID 4516 wrote to memory of 900	4516	kYxQJPXft.exe	90
PID 4516 wrote to memory of 3500	4516	kYxQJPXft.exe	95
PID 4516 wrote to memory of 3500	4516	kYxQJPXft.exe	95
PID 4516 wrote to memory of 3500	4516	kYxQJPXft.exe	95
PID 4516 wrote to memory of 3500	4516	kYxQJPXft.exe	95
PID 4516 wrote to memory of 3500	4516	kYxQJPXft.exe	95

C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
"C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe
  "C:\Users\Admin\AppData\Local\Temp\cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe
    "C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe
      "C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe" /i:4516
        5⤵
        
        PID:900
    - - C:\Program Files (x86)\Windows Media Player\wmlaunch.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmlaunch.exe" /i:4516
        5⤵
        
        PID:3500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe

Filesize
501KB

MD5
a33728aee3759b81872505fba651efbe

SHA1
235216ea46b5a9b1a7f8f367b1c2ec544fdff847

SHA256
a014f7c64fbdaed415eda326caa76ca81dde8c393240b09af5f763da7b9ff1a5

SHA512
99f6f4ed0f3803822758dbd79008590a3cc1e00a1e7ee01fe8573c91981809c41a6f0b83b01186af2384b651168da68746ee5005c21ffcc6fa866ca6204265a2

Download Submit
C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe

Filesize
501KB

MD5
a33728aee3759b81872505fba651efbe

SHA1
235216ea46b5a9b1a7f8f367b1c2ec544fdff847

SHA256
a014f7c64fbdaed415eda326caa76ca81dde8c393240b09af5f763da7b9ff1a5

SHA512
99f6f4ed0f3803822758dbd79008590a3cc1e00a1e7ee01fe8573c91981809c41a6f0b83b01186af2384b651168da68746ee5005c21ffcc6fa866ca6204265a2

Download Submit
C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe

Filesize
501KB

MD5
a33728aee3759b81872505fba651efbe

SHA1
235216ea46b5a9b1a7f8f367b1c2ec544fdff847

SHA256
a014f7c64fbdaed415eda326caa76ca81dde8c393240b09af5f763da7b9ff1a5

SHA512
99f6f4ed0f3803822758dbd79008590a3cc1e00a1e7ee01fe8573c91981809c41a6f0b83b01186af2384b651168da68746ee5005c21ffcc6fa866ca6204265a2

Download Submit
C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe

Filesize
501KB

MD5
70ba395b631e31f278ab7baf879e6218

SHA1
437d00c3e5cb573c416fdee88bb058c177f80736

SHA256
cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99

SHA512
e60d6cce55daf9ad1760ac5322669e17f93f13c6c6adc0b25c77e4f4aaa0d5a63368e3b9d004cfbbe0687396e2367b2f75993aea9841fcd4a31d664be2ff2c12

Download Submit
C:\ProgramData\F1NPlIdTMkW9m\kYxQJPXft.exe

Filesize
501KB

MD5
70ba395b631e31f278ab7baf879e6218

SHA1
437d00c3e5cb573c416fdee88bb058c177f80736

SHA256
cc3c9ef4c5c2c0e4091520ca53c133652cff3013408017f2c2d66a87e43f4d99

SHA512
e60d6cce55daf9ad1760ac5322669e17f93f13c6c6adc0b25c77e4f4aaa0d5a63368e3b9d004cfbbe0687396e2367b2f75993aea9841fcd4a31d664be2ff2c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxmRLEGj.exe

Filesize
501KB

MD5
a33728aee3759b81872505fba651efbe

SHA1
235216ea46b5a9b1a7f8f367b1c2ec544fdff847

SHA256
a014f7c64fbdaed415eda326caa76ca81dde8c393240b09af5f763da7b9ff1a5

SHA512
99f6f4ed0f3803822758dbd79008590a3cc1e00a1e7ee01fe8573c91981809c41a6f0b83b01186af2384b651168da68746ee5005c21ffcc6fa866ca6204265a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxmRLEGj.exe

Filesize
501KB

MD5
a33728aee3759b81872505fba651efbe

SHA1
235216ea46b5a9b1a7f8f367b1c2ec544fdff847

SHA256
a014f7c64fbdaed415eda326caa76ca81dde8c393240b09af5f763da7b9ff1a5

SHA512
99f6f4ed0f3803822758dbd79008590a3cc1e00a1e7ee01fe8573c91981809c41a6f0b83b01186af2384b651168da68746ee5005c21ffcc6fa866ca6204265a2

Download Submit
memory/3500-158-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3876-141-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3876-138-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3876-135-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3876-134-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3876-133-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4516-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4516-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4516-157-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing