9034412d40ceeceb4771bd74e010e1782435d3de800a5fc8544bddedf28d0e18

General

Target

26ab4c648f8df6859ae4b4efc9ce0c53.exe
Size

136KB
MD5

26ab4c648f8df6859ae4b4efc9ce0c53
SHA1

280cc2b7ae048eedf835a0da7f52994aa964c739
SHA256

9034412d40ceeceb4771bd74e010e1782435d3de800a5fc8544bddedf28d0e18
SHA512

29cee52de61d53c17d5115d5b066ca1e4fff7593d1f90bf0e7339197c4c59861bea9c6c255dfe0f354e32213376bf545aa3cf2a4183061d2a80dae3115a20808
SSDEEP

3072:gZbQawG5CLy8M0jYxByGobQtK8bu9yAAGkICaudkC:gNKg0jY7ob+butujdt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1352	servicio.exe
2836	servicio.exe

Loads dropped DLL 3 IoCs

pid	Process
2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe
2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe
1352	servicio.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servicio.exe"	26ab4c648f8df6859ae4b4efc9ce0c53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Service = "servicio.exe"	26ab4c648f8df6859ae4b4efc9ce0c53.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\servicio.exe"	servicio.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 1352 set thread context of 2836	1352	servicio.exe	29

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe
1352	servicio.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 3012 wrote to memory of 2212	3012	26ab4c648f8df6859ae4b4efc9ce0c53.exe	28
PID 2212 wrote to memory of 1352	2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe	30
PID 2212 wrote to memory of 1352	2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe	30
PID 2212 wrote to memory of 1352	2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe	30
PID 2212 wrote to memory of 1352	2212	26ab4c648f8df6859ae4b4efc9ce0c53.exe	30
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29
PID 1352 wrote to memory of 2836	1352	servicio.exe	29

C:\Users\Admin\AppData\Local\Temp\26ab4c648f8df6859ae4b4efc9ce0c53.exe
"C:\Users\Admin\AppData\Local\Temp\26ab4c648f8df6859ae4b4efc9ce0c53.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\26ab4c648f8df6859ae4b4efc9ce0c53.exe
  C:\Users\Admin\AppData\Local\Temp\26ab4c648f8df6859ae4b4efc9ce0c53.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\servicio.exe
    "C:\Users\Admin\AppData\Local\Temp\servicio.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1352

C:\Users\Admin\AppData\Local\Temp\servicio.exe
C:\Users\Admin\AppData\Local\Temp\servicio.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\servicio.exe

Filesize
136KB

MD5
26ab4c648f8df6859ae4b4efc9ce0c53

SHA1
280cc2b7ae048eedf835a0da7f52994aa964c739

SHA256
9034412d40ceeceb4771bd74e010e1782435d3de800a5fc8544bddedf28d0e18

SHA512
29cee52de61d53c17d5115d5b066ca1e4fff7593d1f90bf0e7339197c4c59861bea9c6c255dfe0f354e32213376bf545aa3cf2a4183061d2a80dae3115a20808

Download Submit
memory/2212-2-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2212-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-30-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-27-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-28-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-25-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-31-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-33-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-34-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-36-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-37-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-38-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-39-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2836-40-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads