b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b

General

Target

0c9293d2277e788a3838e3046c76e4e2.exe
Size

267KB
MD5

0c9293d2277e788a3838e3046c76e4e2
SHA1

34040af825f57670581b717cd4cbe16a2e13722e
SHA256

b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b
SHA512

4a53465726c8437d9e775039a9450e9b132a39250cf9eccb15ce5490d512c38d563e07f52407baa79ae99ac75ded1c662e7dc26f2f26fd52b5e6bf6b4c5e3763
SSDEEP

6144:KxZa/4p2bYcN9XurqLtji8tosJK0bC5tEdULkyHCdoGiAsFdgM:K1p2bbXurqBji8GsJynEWLkiFG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1536	VOkr0wlLHToLHuAM.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	VOkr0wlLHToLHuAM.exe
1536	VOkr0wlLHToLHuAM.exe

Loads dropped DLL 4 IoCs

pid	Process
3772	0c9293d2277e788a3838e3046c76e4e2.exe
3772	0c9293d2277e788a3838e3046c76e4e2.exe
1536	VOkr0wlLHToLHuAM.exe
1536	VOkr0wlLHToLHuAM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wYDhNNokjH = "C:\\ProgramData\\hxJBpA89fK\\VOkr0wlLHToLHuAM.exe"	0c9293d2277e788a3838e3046c76e4e2.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 640 set thread context of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 2860 set thread context of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 1536 set thread context of 628	1536	VOkr0wlLHToLHuAM.exe	95

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 640 wrote to memory of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 640 wrote to memory of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 640 wrote to memory of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 640 wrote to memory of 3772	640	0c9293d2277e788a3838e3046c76e4e2.exe	88
PID 3772 wrote to memory of 2860	3772	0c9293d2277e788a3838e3046c76e4e2.exe	93
PID 3772 wrote to memory of 2860	3772	0c9293d2277e788a3838e3046c76e4e2.exe	93
PID 3772 wrote to memory of 2860	3772	0c9293d2277e788a3838e3046c76e4e2.exe	93
PID 2860 wrote to memory of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 2860 wrote to memory of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 2860 wrote to memory of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 2860 wrote to memory of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 2860 wrote to memory of 1536	2860	VOkr0wlLHToLHuAM.exe	92
PID 1536 wrote to memory of 628	1536	VOkr0wlLHToLHuAM.exe	95
PID 1536 wrote to memory of 628	1536	VOkr0wlLHToLHuAM.exe	95
PID 1536 wrote to memory of 628	1536	VOkr0wlLHToLHuAM.exe	95
PID 1536 wrote to memory of 628	1536	VOkr0wlLHToLHuAM.exe	95
PID 1536 wrote to memory of 628	1536	VOkr0wlLHToLHuAM.exe	95

C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe
"C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe
  "C:\Users\Admin\AppData\Local\Temp\0c9293d2277e788a3838e3046c76e4e2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\ProgramData\hxJBpA89fK\VOkr0wlLHToLHuAM.exe
    "C:\ProgramData\hxJBpA89fK\VOkr0wlLHToLHuAM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2860

C:\ProgramData\hxJBpA89fK\VOkr0wlLHToLHuAM.exe
"C:\ProgramData\hxJBpA89fK\VOkr0wlLHToLHuAM.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe" /i:1536
  2⤵
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hxJBpA89fK\RCX48D0.tmp

Filesize
267KB

MD5
5e0a30a693c91bccdd79b44441959c86

SHA1
e20442e978fddae3f37f71b54ba1e1fce6f19349

SHA256
42d6a02a25c942e06b1894fd3e63d331d94cbdaa22e5311cd1fe48286f3b64e8

SHA512
dcc12fe0de374d9c4ff4154d8d98240490c0f51af0f32b90ae5e3c8ce01380c6106cb31aa8c46ad93baae61a5245088f740b30128844ce6a4427e6226642bcd0

Download Submit
C:\ProgramData\hxJBpA89fK\VOkr0wlLHToLHuAM.exe

Filesize
267KB

MD5
0c9293d2277e788a3838e3046c76e4e2

SHA1
34040af825f57670581b717cd4cbe16a2e13722e

SHA256
b27ea86308adf0bf0eb59bb0c7dbc3cfd7782340393446bbc06d808c186c660b

SHA512
4a53465726c8437d9e775039a9450e9b132a39250cf9eccb15ce5490d512c38d563e07f52407baa79ae99ac75ded1c662e7dc26f2f26fd52b5e6bf6b4c5e3763

Download Submit
memory/628-38-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/628-35-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/640-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1536-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1536-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2860-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3772-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3772-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3772-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3772-3-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3772-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads