bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6

General

Target

bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
Size

82KB
MD5

40cd07cb2aa4f0cac808618b20e4d0ed
SHA1

062514111f78e91787c0f2e88c0e1f4e8359c69c
SHA256

bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6
SHA512

85133f348cd0c3f632d6c57c1538bdf6dd40aa55370c2890e3b04b1a508bb0abb142f1e7553cceb8282470fb58a20c156d8b4925f19bf2e87b38cd247197f9f7
SSDEEP

1536:HcNHeb3XpCq0uAe7VeMC3+XFlZyQ2FYQtEUOJW:85g3XpCq04hr9d2FXvwW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3504	service2.exe
2096	service2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Services = "service2.exe"	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service2.exe"	service2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service2.exe"	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 3504 set thread context of 2096	3504	service2.exe	85

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
3504	service2.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 1360 wrote to memory of 3916	1360	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	83
PID 3916 wrote to memory of 3504	3916	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	84
PID 3916 wrote to memory of 3504	3916	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	84
PID 3916 wrote to memory of 3504	3916	bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe	84
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85
PID 3504 wrote to memory of 2096	3504	service2.exe	85

C:\Users\Admin\AppData\Local\Temp\bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
"C:\Users\Admin\AppData\Local\Temp\bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
  C:\Users\Admin\AppData\Local\Temp\bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\service2.exe
    "C:\Users\Admin\AppData\Local\Temp\service2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\service2.exe
      C:\Users\Admin\AppData\Local\Temp\service2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\service2.exe

Filesize
82KB

MD5
40cd07cb2aa4f0cac808618b20e4d0ed

SHA1
062514111f78e91787c0f2e88c0e1f4e8359c69c

SHA256
bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6

SHA512
85133f348cd0c3f632d6c57c1538bdf6dd40aa55370c2890e3b04b1a508bb0abb142f1e7553cceb8282470fb58a20c156d8b4925f19bf2e87b38cd247197f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\service2.exe

Filesize
82KB

MD5
40cd07cb2aa4f0cac808618b20e4d0ed

SHA1
062514111f78e91787c0f2e88c0e1f4e8359c69c

SHA256
bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6

SHA512
85133f348cd0c3f632d6c57c1538bdf6dd40aa55370c2890e3b04b1a508bb0abb142f1e7553cceb8282470fb58a20c156d8b4925f19bf2e87b38cd247197f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\service2.exe

Filesize
82KB

MD5
40cd07cb2aa4f0cac808618b20e4d0ed

SHA1
062514111f78e91787c0f2e88c0e1f4e8359c69c

SHA256
bb5cf472e0d5283ab8c177872fa01e638e46d9fa83a2de44111b363a737f91c6

SHA512
85133f348cd0c3f632d6c57c1538bdf6dd40aa55370c2890e3b04b1a508bb0abb142f1e7553cceb8282470fb58a20c156d8b4925f19bf2e87b38cd247197f9f7

Download Submit
memory/2096-149-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3916-135-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3916-137-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3916-138-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3916-150-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing