79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85

General

Target

79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
Size

356KB
MD5

041f5a7795e4f6f967b885645ba07920
SHA1

3b7c93f8e3f1c600dccef6cf6652acb0e8066f3b
SHA256

79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85
SHA512

2cb9a329bd817a32208102fced498a3ab92d0b289bdd51888be88a539dd180feb9a16c1bdd8a87f679e566e03230edcc1233cac3b463dda326d30b99affa8dd6
SSDEEP

6144:7vbx8t3UP/SKSYidfwWQl0zo2jbzjxaFEpsyeN4:7u6KKwdjQWzo2jbzYFEeC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1628	1WLmnfejg.exe
680	1WLmnfejg.exe

Deletes itself 1 IoCs

pid	Process
680	1WLmnfejg.exe

Loads dropped DLL 4 IoCs

pid	Process
596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
680	1WLmnfejg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\zfceMdPbu86KJ = "C:\\ProgramData\\GSLzedELik\\1WLmnfejg.exe"	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 1628 set thread context of 680	1628	1WLmnfejg.exe	30
PID 680 set thread context of 1844	680	1WLmnfejg.exe	31

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 956 wrote to memory of 596	956	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	28
PID 596 wrote to memory of 1628	596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	29
PID 596 wrote to memory of 1628	596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	29
PID 596 wrote to memory of 1628	596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	29
PID 596 wrote to memory of 1628	596	79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe	29
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 1628 wrote to memory of 680	1628	1WLmnfejg.exe	30
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31
PID 680 wrote to memory of 1844	680	1WLmnfejg.exe	31

C:\Users\Admin\AppData\Local\Temp\79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
"C:\Users\Admin\AppData\Local\Temp\79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe
  "C:\Users\Admin\AppData\Local\Temp\79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\ProgramData\GSLzedELik\1WLmnfejg.exe
    "C:\ProgramData\GSLzedELik\1WLmnfejg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\ProgramData\GSLzedELik\1WLmnfejg.exe
      "C:\ProgramData\GSLzedELik\1WLmnfejg.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Program Files (x86)\Internet Explorer\ieinstal.exe
        
        "C:\Program Files (x86)\Internet Explorer\ieinstal.exe" /i:680
        5⤵
        
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
C:\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
C:\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
041f5a7795e4f6f967b885645ba07920

SHA1
3b7c93f8e3f1c600dccef6cf6652acb0e8066f3b

SHA256
79770e22c492a88f231351aec65f544acf75c9e05205b6b8f644d6318315aa85

SHA512
2cb9a329bd817a32208102fced498a3ab92d0b289bdd51888be88a539dd180feb9a16c1bdd8a87f679e566e03230edcc1233cac3b463dda326d30b99affa8dd6

Download Submit
\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
\ProgramData\GSLzedELik\1WLmnfejg.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
\Users\Admin\AppData\Local\Temp\niupCCtclvC.exe

Filesize
356KB

MD5
a4f7bbdb0cd97222db4a2a1b428aed79

SHA1
77dcff288d1cade4d1d6efb50a6c1ed31377dcca

SHA256
a68cbed2fc0bbe84b1d573f9d099b4dd61d2dcc848f1977618e2c3d943001ded

SHA512
419661dee941d399d5fc94387b219ab1288df0b6cd7688d34c91cf956065612e6600670e32f1ee0523b73968e10170221ead3e20af319a604d13fbf580eb7047

Download Submit
memory/596-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/596-54-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/596-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/596-58-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/596-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/596-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/680-84-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1844-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1844-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing