b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b

General

Target

0c9293d2277e788a3838e3046c76e4e2.exe
Size

267KB
MD5

0c9293d2277e788a3838e3046c76e4e2
SHA1

34040af825f57670581b717cd4cbe16a2e13722e
SHA256

b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b
SHA512

4a53465726c8437d9e775039a9450e9b132a39250cf9eccb15ce5490d512c38d563e07f52407baa79ae99ac75ded1c662e7dc26f2f26fd52b5e6bf6b4c5e3763
SSDEEP

6144:KxZa/4p2bYcN9XurqLtji8tosJK0bC5tEdULkyHCdoGiAsFdgM:K1p2bbXurqBji8GsJynEWLkiFG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	R9QYGvzsSIpQFt1.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	R9QYGvzsSIpQFt1.exe
3020	R9QYGvzsSIpQFt1.exe

Loads dropped DLL 5 IoCs

pid	Process
1460	0c9293d2277e788a3838e3046c76e4e2.exe
1460	0c9293d2277e788a3838e3046c76e4e2.exe
1460	0c9293d2277e788a3838e3046c76e4e2.exe
2544	R9QYGvzsSIpQFt1.exe
3020	R9QYGvzsSIpQFt1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNuOtLSf = "C:\\ProgramData\\TmFdJCbNIETlNB\\R9QYGvzsSIpQFt1.exe"	0c9293d2277e788a3838e3046c76e4e2.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2544 set thread context of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 3020 set thread context of 2700	3020	R9QYGvzsSIpQFt1.exe	31

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 2656 wrote to memory of 1460	2656	0c9293d2277e788a3838e3046c76e4e2.exe	28
PID 1460 wrote to memory of 2544	1460	0c9293d2277e788a3838e3046c76e4e2.exe	30
PID 1460 wrote to memory of 2544	1460	0c9293d2277e788a3838e3046c76e4e2.exe	30
PID 1460 wrote to memory of 2544	1460	0c9293d2277e788a3838e3046c76e4e2.exe	30
PID 1460 wrote to memory of 2544	1460	0c9293d2277e788a3838e3046c76e4e2.exe	30
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 2544 wrote to memory of 3020	2544	R9QYGvzsSIpQFt1.exe	29
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31
PID 3020 wrote to memory of 2700	3020	R9QYGvzsSIpQFt1.exe	31

C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe
"C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe
  "C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe
    "C:\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2544

C:\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe
"C:\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files (x86)\Internet Explorer\ExtExport.exe
  "C:\Program Files (x86)\Internet Explorer\ExtExport.exe" /i:3020
  2⤵
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe

Filesize
92KB

MD5
663f2b7189c17ddef32785a388ddbc8f

SHA1
fb209c80b978b56b82d4843b10a63a39c0ca034d

SHA256
12cf6974d4839609aebe4b9c6486265fc59e0a7bfc31c814f4f24c68aa4c7b30

SHA512
a08010db60c7f5e3b7451b2efc93b507a7a299b9a3f1a157df4b69fa7c857a867fd8cd6d94456e220b6c73b8ba8a272f8f0e43c85497aaebbdc25f930adfbf27

Download Submit
\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe

Filesize
267KB

MD5
0c9293d2277e788a3838e3046c76e4e2

SHA1
34040af825f57670581b717cd4cbe16a2e13722e

SHA256
b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b

SHA512
4a53465726c8437d9e775039a9450e9b132a39250cf9eccb15ce5490d512c38d563e07f52407baa79ae99ac75ded1c662e7dc26f2f26fd52b5e6bf6b4c5e3763

Download Submit
\ProgramData\TmFdJCbNIETlNB\R9QYGvzsSIpQFt1.exe

Filesize
93KB

MD5
a1d5a15b13859063721d400219cc4f54

SHA1
5bdddb3b59359200f1b2b4d89f4cd51fe054854e

SHA256
ed485f9344bd68d29089fde550fa17a1652cef21b6f0784c87b65d63e1001ea6

SHA512
53bf357a9061220f08de8dba9b820f015f402591f8cdda521cbef7732ae586d17ecf81e02910613cb1e94bb3ccaadcaf5454a738383183706f9c9b416d426bb2

Download Submit
memory/1460-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1460-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1460-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1460-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1460-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1460-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1460-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2544-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2656-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2700-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2700-47-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-33-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-44-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads