d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4

General

Target

d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
Size

283KB
MD5

da5eb5cfd23b40d0a86fe513de090614
SHA1

1933a1f549f1e0471167a9b155891d834f902850
SHA256

d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4
SHA512

7c4ff5aa23340eea2639b9d0177bd54fe2fa7b467a6904c09bb3e0f735785ce666226416b0b23a01d439f3fa65c4dd18f3fea3f8f2ed35f3aae8d3788934faad
SSDEEP

3072:OZBUhiVExGM994OV4tkkJG7IZ+P5iW0syG3iDpeWNW:AXkfsbECW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4552	fitnets.exe.exe
2948	fitnets.exe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Java Update = "fitnets.exe.exe"	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4552 set thread context of 2948	4552	fitnets.exe.exe	83

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\fitnets.exe.exe	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
File opened for modification	C:\Windows\fitnets.exe.exe	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
File opened for modification	C:\Windows\fitnets.exe.exe	fitnets.exe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
4552	fitnets.exe.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4500 wrote to memory of 4936	4500	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	81
PID 4936 wrote to memory of 4552	4936	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	82
PID 4936 wrote to memory of 4552	4936	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	82
PID 4936 wrote to memory of 4552	4936	d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe	82
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83
PID 4552 wrote to memory of 2948	4552	fitnets.exe.exe	83

C:\Users\Admin\AppData\Local\Temp\d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
"C:\Users\Admin\AppData\Local\Temp\d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
  C:\Users\Admin\AppData\Local\Temp\d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4.exe
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\fitnets.exe.exe
    "C:\Windows\fitnets.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\fitnets.exe.exe
      C:\Windows\fitnets.exe.exe
      4⤵
      Executes dropped EXE
      PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\fitnets.exe.exe

Filesize
283KB

MD5
da5eb5cfd23b40d0a86fe513de090614

SHA1
1933a1f549f1e0471167a9b155891d834f902850

SHA256
d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4

SHA512
7c4ff5aa23340eea2639b9d0177bd54fe2fa7b467a6904c09bb3e0f735785ce666226416b0b23a01d439f3fa65c4dd18f3fea3f8f2ed35f3aae8d3788934faad

Download Submit
C:\Windows\fitnets.exe.exe

Filesize
283KB

MD5
da5eb5cfd23b40d0a86fe513de090614

SHA1
1933a1f549f1e0471167a9b155891d834f902850

SHA256
d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4

SHA512
7c4ff5aa23340eea2639b9d0177bd54fe2fa7b467a6904c09bb3e0f735785ce666226416b0b23a01d439f3fa65c4dd18f3fea3f8f2ed35f3aae8d3788934faad

Download Submit
C:\Windows\fitnets.exe.exe

Filesize
283KB

MD5
da5eb5cfd23b40d0a86fe513de090614

SHA1
1933a1f549f1e0471167a9b155891d834f902850

SHA256
d68eb882eccbec5ae081191e7a830fbb105b3e72c2866a1ac6a39de142e815e4

SHA512
7c4ff5aa23340eea2639b9d0177bd54fe2fa7b467a6904c09bb3e0f735785ce666226416b0b23a01d439f3fa65c4dd18f3fea3f8f2ed35f3aae8d3788934faad

Download Submit
memory/2948-149-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2948-151-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4936-135-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4936-137-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4936-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4936-150-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing