f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4

General

Target

f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe
Size

38.1MB
MD5

d94d71e62542ed54a477eb1bb39ead06
SHA1

ae2c54dfee8a433f239f9dfcd84e3cd9290edfc4
SHA256

f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4
SHA512

3a9ef6d9933ea8c17b83edfa82c5f9858d7ceed34681bd8f587b8ed3396b9c4f3370d5ce53b66e36e029b567857210fdde346a6ddc055cca7ee684f9763da1ce
SSDEEP

786432:byV4FVHIo9fiTpQTmMxY23oHzOkSBf3OY:WV4wo9fMQfxCikW/OY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3864	pfactory_batch_setup_m32.exe
1252	GLBF184.tmp

Loads dropped DLL 3 IoCs

pid	Process
1252	GLBF184.tmp
1252	GLBF184.tmp
1252	GLBF184.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4 = "C:\\Users\\Public\\Dcuov\\Yerg.exe /f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4"	f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBF184.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3864	2348	f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe	78
PID 2348 wrote to memory of 3864	2348	f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe	78
PID 2348 wrote to memory of 3864	2348	f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe	78
PID 3864 wrote to memory of 1252	3864	pfactory_batch_setup_m32.exe	79
PID 3864 wrote to memory of 1252	3864	pfactory_batch_setup_m32.exe	79
PID 3864 wrote to memory of 1252	3864	pfactory_batch_setup_m32.exe	79

C:\Users\Admin\AppData\Local\Temp\f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe
"C:\Users\Admin\AppData\Local\Temp\f1b3e499d6e83d1d2038eb835205e2fd2bc79b1a4b5dd8823c88ec9356a95aa4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\Epmk529\pfactory_batch_setup_m32.exe
  C:\Users\Admin\AppData\Local\Temp\Epmk529\pfactory_batch_setup_m32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\GLBF184.tmp
    C:\Users\Admin\AppData\Local\Temp\GLBF184.tmp 4736 C:\Users\Admin\AppData\Local\Temp\Epmk529\PFACTO~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Epmk529\pfactory_batch_setup_m32.exe

Filesize
9.5MB

MD5
a5902492f410231a04bfddf2c6e1c2dd

SHA1
5107f93ca0fa52f746a8b7c10a6de588964d6682

SHA256
40c4f4a8fbc1df19abfd17e805ce5c8aeecd6ea9d66dd284df7f1080fc3074a8

SHA512
cfa8e348fc17c8d495950ee28a9a7681914ff78402aad9b41823610d7d48e779a739ae87ac9cc356f17cba0e1529e9f8ad0253d2bdfdfbb2dffba56aca11e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Epmk529\pfactory_batch_setup_m32.exe

Filesize
9.5MB

MD5
a5902492f410231a04bfddf2c6e1c2dd

SHA1
5107f93ca0fa52f746a8b7c10a6de588964d6682

SHA256
40c4f4a8fbc1df19abfd17e805ce5c8aeecd6ea9d66dd284df7f1080fc3074a8

SHA512
cfa8e348fc17c8d495950ee28a9a7681914ff78402aad9b41823610d7d48e779a739ae87ac9cc356f17cba0e1529e9f8ad0253d2bdfdfbb2dffba56aca11e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLBF184.tmp

Filesize
70KB

MD5
620a234d003cb61511c134cfadfdfad1

SHA1
9de80f0485635c081f86d660cc83c4871061b349

SHA256
b24283da3bb7d662ae6ce3dc87b99b3edef0e8c0fe1e195ceb7a112aff89bc73

SHA512
d51ed48a009cb6efffa363ffabc7b9cd363534a5b4c9ef2360240ec08a65fed0faa70ddc152ec57430fc95e9ee505e7e8417cca604226a93e36d6d8c5c66ee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLBF184.tmp

Filesize
70KB

MD5
620a234d003cb61511c134cfadfdfad1

SHA1
9de80f0485635c081f86d660cc83c4871061b349

SHA256
b24283da3bb7d662ae6ce3dc87b99b3edef0e8c0fe1e195ceb7a112aff89bc73

SHA512
d51ed48a009cb6efffa363ffabc7b9cd363534a5b4c9ef2360240ec08a65fed0faa70ddc152ec57430fc95e9ee505e7e8417cca604226a93e36d6d8c5c66ee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCF2EB.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKF3B7.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLKF3B7.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
memory/1252-141-0x00000000022C1000-0x00000000022C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing