1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

General

Target

1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
Size

160KB
MD5

6c9e680f0412a01b3c6affc28efa9cbf
SHA1

dadabae8002511105e21ae96ebcaa2eba1de9d02
SHA256

1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35
SHA512

43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527
SSDEEP

3072:CSSoh6+OpcmFktExIz4OPmNaVKLb7pzkm2FT2c8vhosMMl:Cpw6+OpSC9xN+apF2FTSZosNl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
904	Sogou.exe
1952	Sougou.exe
936	Sogou.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
1952	Sougou.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Sougou.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Ball = "C:\\progra~1\\Common Files\\Sogou.exe"	Sougou.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sougou.exe	Sogou.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\progra~1\Common Files\Sogou.exe	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
File opened for modification	C:\progra~1\Common Files\Sogou.exe	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
File created	C:\progra~1\Common Files\Sogou.exe	Sougou.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 904	1788	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe	27
PID 1788 wrote to memory of 904	1788	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe	27
PID 1788 wrote to memory of 904	1788	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe	27
PID 1788 wrote to memory of 904	1788	1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe	27
PID 1952 wrote to memory of 936	1952	Sougou.exe	29
PID 1952 wrote to memory of 936	1952	Sougou.exe	29
PID 1952 wrote to memory of 936	1952	Sougou.exe	29
PID 1952 wrote to memory of 936	1952	Sougou.exe	29

C:\Users\Admin\AppData\Local\Temp\1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe
"C:\Users\Admin\AppData\Local\Temp\1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1788
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:904

C:\Windows\SysWOW64\Sougou.exe
C:\Windows\SysWOW64\Sougou.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1952
- C:\progra~1\Common Files\Sogou.exe
  "C:\progra~1\Common Files\Sogou.exe"
  2⤵
  - Executes dropped EXE
  PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Common Files\Sogou.exe

Filesize
160KB

MD5
6c9e680f0412a01b3c6affc28efa9cbf

SHA1
dadabae8002511105e21ae96ebcaa2eba1de9d02

SHA256
1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

SHA512
43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527

Download Submit
C:\PROGRA~1\Common Files\Sogou.exe

Filesize
160KB

MD5
6c9e680f0412a01b3c6affc28efa9cbf

SHA1
dadabae8002511105e21ae96ebcaa2eba1de9d02

SHA256
1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

SHA512
43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
142977fc914f5e95e18eb51bf1da765b

SHA1
ee7ff9450dd115e4821ea22f70a9a0ee57600899

SHA256
b7d765e3443298c231c56cca40802e630b4aaf0a6b206973c3336b9a7fe37087

SHA512
f77314028631f7ce0a7616bb111fc5b91a939593a980917643f58e23072669a4f6d6288c51ee6c46f020909f4ff8b7eb4e3c3966b809ad5639d358c4d7de2ee4

Download Submit
C:\Windows\SysWOW64\Sougou.exe

Filesize
27.2MB

MD5
142977fc914f5e95e18eb51bf1da765b

SHA1
ee7ff9450dd115e4821ea22f70a9a0ee57600899

SHA256
b7d765e3443298c231c56cca40802e630b4aaf0a6b206973c3336b9a7fe37087

SHA512
f77314028631f7ce0a7616bb111fc5b91a939593a980917643f58e23072669a4f6d6288c51ee6c46f020909f4ff8b7eb4e3c3966b809ad5639d358c4d7de2ee4

Download Submit
C:\progra~1\Common Files\Sogou.exe

Filesize
160KB

MD5
6c9e680f0412a01b3c6affc28efa9cbf

SHA1
dadabae8002511105e21ae96ebcaa2eba1de9d02

SHA256
1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

SHA512
43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
160KB

MD5
6c9e680f0412a01b3c6affc28efa9cbf

SHA1
dadabae8002511105e21ae96ebcaa2eba1de9d02

SHA256
1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

SHA512
43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527

Download Submit
\PROGRA~1\Common Files\Sogou.exe

Filesize
160KB

MD5
6c9e680f0412a01b3c6affc28efa9cbf

SHA1
dadabae8002511105e21ae96ebcaa2eba1de9d02

SHA256
1b13769c934d1905c882f192f54b9603b24c497dddce4f94689372ee0fbe8d35

SHA512
43d4e1597a4a5623afc228b1bf13498570f4ee2bb4112a83e1ab030b7c656de744ff532143d6be247a0d8c5012a415a95710cf070c308e15bd5a7411f3ecc527

Download Submit
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing