a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321

General

Target

a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
Size

367KB
MD5

35f167335f5472438fcd9a785a9fcad6
SHA1

444a034c5348c3a18b2b1c9ab0411206569072bc
SHA256

a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321
SHA512

c4da852aaa9c07a20d2ff81a17bb9019f83d7b3eccfb690b8eca623f12753d2862a0e4aefb0c9a477d945b302d48b9087a88f6c2f571d90a7b2bd3c2854ba490
SSDEEP

6144:uocG2GcBHUz9hpjb6N31WcnArDHhQsLb9neXkzYVFEZgiP/A:uccBHOJb2XgHzneWbg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
944	fmXTd5lcT5r.exe
1988	fmXTd5lcT5r.exe

Deletes itself 1 IoCs

pid	Process
1988	fmXTd5lcT5r.exe

Loads dropped DLL 4 IoCs

pid	Process
1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
1988	fmXTd5lcT5r.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\2AV0TKS2Q = "C:\\ProgramData\\kjWXQI19\\fmXTd5lcT5r.exe"	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 944 set thread context of 1988	944	fmXTd5lcT5r.exe	30
PID 1988 set thread context of 1020	1988	fmXTd5lcT5r.exe	31

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 960 wrote to memory of 1892	960	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	28
PID 1892 wrote to memory of 944	1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	29
PID 1892 wrote to memory of 944	1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	29
PID 1892 wrote to memory of 944	1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	29
PID 1892 wrote to memory of 944	1892	a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe	29
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 944 wrote to memory of 1988	944	fmXTd5lcT5r.exe	30
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31
PID 1988 wrote to memory of 1020	1988	fmXTd5lcT5r.exe	31

C:\Users\Admin\AppData\Local\Temp\a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
"C:\Users\Admin\AppData\Local\Temp\a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe
  "C:\Users\Admin\AppData\Local\Temp\a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe
    "C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe
      "C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe" /i:1988
        5⤵
        
        PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
C:\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
\ProgramData\kjWXQI19\fmXTd5lcT5r.exe

Filesize
367KB

MD5
35f167335f5472438fcd9a785a9fcad6

SHA1
444a034c5348c3a18b2b1c9ab0411206569072bc

SHA256
a13c62eb1d10e7ab666d9f4ade680765ecf510df9b9184f0831625a918608321

SHA512
c4da852aaa9c07a20d2ff81a17bb9019f83d7b3eccfb690b8eca623f12753d2862a0e4aefb0c9a477d945b302d48b9087a88f6c2f571d90a7b2bd3c2854ba490

Download Submit
\Users\Admin\AppData\Local\Temp\C1Xw9hBWa.exe

Filesize
367KB

MD5
558297f8ce50db772b65515e828816fb

SHA1
0a81f540aeb4f42512243f8f305a8c9289444314

SHA256
ba647692f49952997f09d99727701b166f575c86a2936729d837a794f4955ca8

SHA512
e9bb0dd22ea5fea05bcc26bcfde28c864fddd2900cba65def1d261acac951f11856bf9a35fbd1eff37b76b121821cf0d7c8de0cf6357069bad194aee02dc765d

Download Submit
memory/1020-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1020-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1892-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1988-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1988-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1988-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing