659755abcc2eaf9b87ff2929c7c19f39bfe58aa7abe6671ee17a18244cb0dd93

General

Target

1a5ef17bc80cccbd042e62ae680aa29c.exe
Size

336KB
MD5

1a5ef17bc80cccbd042e62ae680aa29c
SHA1

9f83c01ea2ed04a78b0b59c476925c25d903d47f
SHA256

659755abcc2eaf9b87ff2929c7c19f39bfe58aa7abe6671ee17a18244cb0dd93
SHA512

341a97afbcdec0feabccc327b385195390bd1af95a5bfbb6fd529becdd7ddb84e13cdbddc11678ee8afbc1acd9298a3257da7bde5deece7e841d9a1544382725
SSDEEP

6144:3IwfiY1dJhucMIZAy8VoSjBs46fHuLj8R6dWvLjm/:3dTJwcHZzCetOj8Rvjm/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4600	iCpkoYvX.exe

Executes dropped EXE 2 IoCs

pid	Process
1532	iCpkoYvX.exe
4600	iCpkoYvX.exe

Loads dropped DLL 4 IoCs

pid	Process
848	1a5ef17bc80cccbd042e62ae680aa29c.exe
848	1a5ef17bc80cccbd042e62ae680aa29c.exe
4600	iCpkoYvX.exe
4600	iCpkoYvX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ytklGyjx0Who = "C:\\ProgramData\\qQBPCYFAOcwmB\\iCpkoYvX.exe"	1a5ef17bc80cccbd042e62ae680aa29c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 1532 set thread context of 4600	1532	iCpkoYvX.exe	94
PID 4600 set thread context of 3220	4600	iCpkoYvX.exe	95

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 4920 wrote to memory of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 4920 wrote to memory of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 4920 wrote to memory of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 4920 wrote to memory of 848	4920	1a5ef17bc80cccbd042e62ae680aa29c.exe	92
PID 848 wrote to memory of 1532	848	1a5ef17bc80cccbd042e62ae680aa29c.exe	93
PID 848 wrote to memory of 1532	848	1a5ef17bc80cccbd042e62ae680aa29c.exe	93
PID 848 wrote to memory of 1532	848	1a5ef17bc80cccbd042e62ae680aa29c.exe	93
PID 1532 wrote to memory of 4600	1532	iCpkoYvX.exe	94
PID 1532 wrote to memory of 4600	1532	iCpkoYvX.exe	94
PID 1532 wrote to memory of 4600	1532	iCpkoYvX.exe	94
PID 1532 wrote to memory of 4600	1532	iCpkoYvX.exe	94
PID 1532 wrote to memory of 4600	1532	iCpkoYvX.exe	94
PID 4600 wrote to memory of 3220	4600	iCpkoYvX.exe	95
PID 4600 wrote to memory of 3220	4600	iCpkoYvX.exe	95
PID 4600 wrote to memory of 3220	4600	iCpkoYvX.exe	95
PID 4600 wrote to memory of 3220	4600	iCpkoYvX.exe	95
PID 4600 wrote to memory of 3220	4600	iCpkoYvX.exe	95

C:\Users\Admin\AppData\Local\Temp\1a5ef17bc80cccbd042e62ae680aa29c.exe
"C:\Users\Admin\AppData\Local\Temp\1a5ef17bc80cccbd042e62ae680aa29c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\1a5ef17bc80cccbd042e62ae680aa29c.exe
  "C:\Users\Admin\AppData\Local\Temp\1a5ef17bc80cccbd042e62ae680aa29c.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\ProgramData\qQBPCYFAOcwmB\iCpkoYvX.exe
    "C:\ProgramData\qQBPCYFAOcwmB\iCpkoYvX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\ProgramData\qQBPCYFAOcwmB\iCpkoYvX.exe
      "C:\ProgramData\qQBPCYFAOcwmB\iCpkoYvX.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /i:4600
        5⤵
        
        PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qQBPCYFAOcwmB\iCpkoYvX.exe

Filesize
93KB

MD5
345de0637c018c3366ad2039dcdf6ed9

SHA1
8e1922ed5836b6bfeccf468c5705c2aeb72cb6d8

SHA256
721d769e91a1e38857c5f98b492dc63d907540c3c775daf5800cf229ee80e87c

SHA512
dc9ba0a47f738a08a504127a8c0d33d9251a9782bf127ee87b61a3c27408ead21f02e6fbebbb2aa72cd84e48d3c8931990d938b574ceb5117416ce2773aa02e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5WWJjLiMb.exe

Filesize
92KB

MD5
48f28a5a324e2bf9b49448ff30e1e894

SHA1
0a48f96c4214b9b098bd5b5fbeb6a7e8542f4a74

SHA256
8e149d6eb3874d1a8a726ede90007ee09441b1db6d7abc1a3746f19cab3ba6ee

SHA512
5bab01b6d7cefded61d27f53d2a5fbea665752fe6ac60965866f7aaa71c32c3a2a35d62fd27e87b89517eba69ae6bf14269db5c70847b82de1bf72c1d7de6023

Download Submit
memory/848-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/848-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/848-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/848-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/848-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1532-23-0x00000000752B0000-0x00000000753A0000-memory.dmp

Filesize
960KB

Download
memory/1532-28-0x00000000752B0000-0x00000000753A0000-memory.dmp

Filesize
960KB

Download
memory/1532-25-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3220-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3220-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4600-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4600-35-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4920-1-0x00000000752B0000-0x00000000753A0000-memory.dmp

Filesize
960KB

Download
memory/4920-5-0x00000000752B0000-0x00000000753A0000-memory.dmp

Filesize
960KB

Download
memory/4920-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads