862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

General

Target

862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
Size

606KB
MD5

0acb3172631f0161d0f1504e44d922df
SHA1

a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42
SHA256

862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c
SHA512

c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95
SSDEEP

1536:xzWu+k+UHW8QkHnmpSbUhhFJrDnhH//pSzrcU:CUFISbUhhFJrDhH/BuI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4744	aa89259.exe
3624	aa89259.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aa89259 = "C:\\Users\\Admin\\AppData\\Roaming\\aa89259\\aa89259.exe"	aa89259.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa89259 = "C:\\Users\\Admin\\AppData\\Roaming\\aa89259\\aa89259.exe"	aa89259.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 4744 set thread context of 3624	4744	aa89259.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4152	3524	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	aa89259.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 5036 wrote to memory of 4180	5036	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	82
PID 4180 wrote to memory of 4744	4180	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	83
PID 4180 wrote to memory of 4744	4180	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	83
PID 4180 wrote to memory of 4744	4180	862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe	83
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 4744 wrote to memory of 3624	4744	aa89259.exe	84
PID 3624 wrote to memory of 3524	3624	aa89259.exe	85
PID 3624 wrote to memory of 3524	3624	aa89259.exe	85
PID 3624 wrote to memory of 3524	3624	aa89259.exe	85
PID 3624 wrote to memory of 3524	3624	aa89259.exe	85
PID 3624 wrote to memory of 3524	3624	aa89259.exe	85

C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
"C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe
  "C:\Users\Admin\AppData\Local\Temp\862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe
    "C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe
      "C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\syswow64\explorer.exe"
        5⤵
        
        PID:3524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 832
        6⤵
        Program crash
        
        PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3524 -ip 3524
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
C:\Users\Admin\AppData\Roaming\aa89259\aa89259.exe

Filesize
606KB

MD5
0acb3172631f0161d0f1504e44d922df

SHA1
a3ca1d6f2c67ca15ff6ae0b594a909fec14d6f42

SHA256
862e7759b4b7a6d53e5e0187e084ec6228fc1c4d69c0843ccaf14517a6a7be3c

SHA512
c1e59d8293bd7faf69e2add8e8b97393060b2d7b3f0b57923d27a0050fc33fff8e97888c5f3167893b1d0e9a27f13eee491b1748234d2082c25b9de38aff3a95

Download Submit
memory/3524-151-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3624-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4180-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4180-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4180-140-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4744-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4744-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5036-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5036-137-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing