fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f

General

Target

fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
Size

351KB
MD5

20338f738bd066961ae639e0820c6f5e
SHA1

a7945be15e1cceb9cfc70efb6956951ede4b1eb0
SHA256

fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f
SHA512

1fe569ce8ec1a32efd65e662a2311e142acd0bf818b9c3f3a43f2725010d5227b23a45d6d7eb1871def1270fb6ad6a111246da4033e47a01058d1148517c7b57
SSDEEP

6144:Z3c4cg0RO2MEzoqeAYd2eGBysYgeOnVvZ33rXjIzPD:ZiBTMbAm2tBxeOnVvZHgzPD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2028	FyGAMjyYP.exe
1324	FyGAMjyYP.exe

Deletes itself 1 IoCs

pid	Process
1324	FyGAMjyYP.exe

Loads dropped DLL 4 IoCs

pid	Process
860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
1324	FyGAMjyYP.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYmfwffcJZQqXBq = "C:\\ProgramData\\DA73TrdFRfOTiNx\\FyGAMjyYP.exe"	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 2028 set thread context of 1324	2028	FyGAMjyYP.exe	29
PID 1324 set thread context of 972	1324	FyGAMjyYP.exe	31

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 1428 wrote to memory of 860	1428	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	27
PID 860 wrote to memory of 2028	860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	28
PID 860 wrote to memory of 2028	860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	28
PID 860 wrote to memory of 2028	860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	28
PID 860 wrote to memory of 2028	860	fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe	28
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 2028 wrote to memory of 1324	2028	FyGAMjyYP.exe	29
PID 1324 wrote to memory of 288	1324	FyGAMjyYP.exe	30
PID 1324 wrote to memory of 288	1324	FyGAMjyYP.exe	30
PID 1324 wrote to memory of 288	1324	FyGAMjyYP.exe	30
PID 1324 wrote to memory of 288	1324	FyGAMjyYP.exe	30
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31
PID 1324 wrote to memory of 972	1324	FyGAMjyYP.exe	31

C:\Users\Admin\AppData\Local\Temp\fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
"C:\Users\Admin\AppData\Local\Temp\fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe
  "C:\Users\Admin\AppData\Local\Temp\fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe
    "C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe
      "C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" /i:1324
        5⤵
        
        PID:288
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /i:1324
        5⤵
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
C:\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
\ProgramData\DA73TrdFRfOTiNx\FyGAMjyYP.exe

Filesize
351KB

MD5
20338f738bd066961ae639e0820c6f5e

SHA1
a7945be15e1cceb9cfc70efb6956951ede4b1eb0

SHA256
fa7024d364d5e55b264682960cf0807d1ded4e917ca8614c4f2d027990ae5b4f

SHA512
1fe569ce8ec1a32efd65e662a2311e142acd0bf818b9c3f3a43f2725010d5227b23a45d6d7eb1871def1270fb6ad6a111246da4033e47a01058d1148517c7b57

Download Submit
\Users\Admin\AppData\Local\Temp\ObhUocAvuVR.exe

Filesize
351KB

MD5
f87940c719f1d65d486e95522faa8ea1

SHA1
db0051e64aa325c083608db6aada6bae5cdfd3ab

SHA256
e87298a8686170a5a6c3baf6fb441c049fe8d61069bf65d2a2c465d7b53442e9

SHA512
ea5e340acbe438a421d8d70f9ee0fa950b742da98779a73c2b439e6e39ed7f6adf92592736eb556330e49171aead5c45533b9f43201d4697ce7bf054da5579c5

Download Submit
memory/860-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/860-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/860-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/860-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/860-57-0x00000000004475D4-mapping.dmp

Download
memory/860-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/972-79-0x00000000004475D4-mapping.dmp

Download
memory/972-83-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/972-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1324-70-0x00000000004475D4-mapping.dmp

Download
memory/1324-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1324-82-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing