559bb78bade60153f0b66f39c46774dcca72b00cf95d9ee5ba551f657aff0259

General

Target

0f81d1ffb6286e8762489c5b8cd17655.exe
Size

356KB
MD5

0f81d1ffb6286e8762489c5b8cd17655
SHA1

5d558b4687c8365adaea0da111d69dab27b3cefe
SHA256

559bb78bade60153f0b66f39c46774dcca72b00cf95d9ee5ba551f657aff0259
SHA512

c28570df2283b9e4f2b7d44c919dc0e60fd60df00f4106c5964961b7bb9aaa164fc7af07c72fde856e561ff5ad9662bcc2ea1df754c636d4cd468c1c631de559
SSDEEP

6144:7vbx8GXBQSInhPUfpJtdi8ZD+clIBOMba2EtKOLOO/J:7TqVUvy8ZDnlIBhah5LOO/J

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4584	HY7fc8wCPY5Y.exe

Executes dropped EXE 2 IoCs

pid	Process
3964	HY7fc8wCPY5Y.exe
4584	HY7fc8wCPY5Y.exe

Loads dropped DLL 4 IoCs

pid	Process
628	0f81d1ffb6286e8762489c5b8cd17655.exe
628	0f81d1ffb6286e8762489c5b8cd17655.exe
4584	HY7fc8wCPY5Y.exe
4584	HY7fc8wCPY5Y.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B5eYBGzxh3lgbTB = "C:\\ProgramData\\AH3QoRbg0o\\HY7fc8wCPY5Y.exe"	0f81d1ffb6286e8762489c5b8cd17655.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 3964 set thread context of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 4584 set thread context of 4984	4584	HY7fc8wCPY5Y.exe	95

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 4992 wrote to memory of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 4992 wrote to memory of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 4992 wrote to memory of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 4992 wrote to memory of 628	4992	0f81d1ffb6286e8762489c5b8cd17655.exe	92
PID 628 wrote to memory of 3964	628	0f81d1ffb6286e8762489c5b8cd17655.exe	93
PID 628 wrote to memory of 3964	628	0f81d1ffb6286e8762489c5b8cd17655.exe	93
PID 628 wrote to memory of 3964	628	0f81d1ffb6286e8762489c5b8cd17655.exe	93
PID 3964 wrote to memory of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 3964 wrote to memory of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 3964 wrote to memory of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 3964 wrote to memory of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 3964 wrote to memory of 4584	3964	HY7fc8wCPY5Y.exe	94
PID 4584 wrote to memory of 4984	4584	HY7fc8wCPY5Y.exe	95
PID 4584 wrote to memory of 4984	4584	HY7fc8wCPY5Y.exe	95
PID 4584 wrote to memory of 4984	4584	HY7fc8wCPY5Y.exe	95
PID 4584 wrote to memory of 4984	4584	HY7fc8wCPY5Y.exe	95
PID 4584 wrote to memory of 4984	4584	HY7fc8wCPY5Y.exe	95

C:\Users\Admin\AppData\Local\Temp\0f81d1ffb6286e8762489c5b8cd17655.exe
"C:\Users\Admin\AppData\Local\Temp\0f81d1ffb6286e8762489c5b8cd17655.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\0f81d1ffb6286e8762489c5b8cd17655.exe
  "C:\Users\Admin\AppData\Local\Temp\0f81d1ffb6286e8762489c5b8cd17655.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe
    "C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe
      "C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\MicrosoftEdgeUpdateOnDemand.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.181.5\MicrosoftEdgeUpdateOnDemand.exe" /i:4584
        5⤵
        
        PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe

Filesize
93KB

MD5
89619f8ccd15e5e5e13914426f2499dc

SHA1
e5d54bba9d4886374a085c0e1f09d1e7232a6006

SHA256
c8f93edcd7fe2f06b60a880768603bac58304c3374a83e7213d4ffa8915bad50

SHA512
d1f28eae0d24bb71be67a27965a658a544d4cc28a6f207ff751183fcdefbc697b2bf0652330cb2fca57bf168c018998ef7d0f459dbf241936db89f1ddf38b251

Download Submit
C:\ProgramData\AH3QoRbg0o\HY7fc8wCPY5Y.exe

Filesize
356KB

MD5
0f81d1ffb6286e8762489c5b8cd17655

SHA1
5d558b4687c8365adaea0da111d69dab27b3cefe

SHA256
559bb78bade60153f0b66f39c46774dcca72b00cf95d9ee5ba551f657aff0259

SHA512
c28570df2283b9e4f2b7d44c919dc0e60fd60df00f4106c5964961b7bb9aaa164fc7af07c72fde856e561ff5ad9662bcc2ea1df754c636d4cd468c1c631de559

Download Submit
C:\ProgramData\AH3QoRbg0o\RCX45C3.tmp

Filesize
356KB

MD5
67290deff1d35d9a84cdc709bac0ed77

SHA1
4b6481f4cdafb1c5d2c5aebb136ffddcbae561b1

SHA256
9b1edf830e993633c14a758b06ed06a931f09c5f0602db129a906bfbdd28c93e

SHA512
7b9e9f59118f0b62e43a52a29972bf4a89031caf9435c2df2f78afbd63ec05e2c954c2b53508ef7a49c711fd248afb6598e8616486d77df97cfeb46b38e9b2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIJU8NFMS.exe

Filesize
92KB

MD5
66b54c01b9db780aae9d3e613181eafd

SHA1
fdaf28c5295efdc00c558d77df1132f6d4d7400c

SHA256
7ec6eb99d0b0157a1bd5599648a608368e95fff2e7aeb687b784fa9ed190217a

SHA512
ae1f4b34820279149a121ee277dc9fcc006ae295b1771eac2140cdb3b03c8b564542d12d6323d6ffd27bc0250a41f47fae701ec1efb25a4762600d22317852a1

Download Submit
memory/628-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/628-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/628-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/628-1-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/628-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3964-28-0x0000000075380000-0x0000000075470000-memory.dmp

Filesize
960KB

Download
memory/3964-25-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3964-22-0x0000000075380000-0x0000000075470000-memory.dmp

Filesize
960KB

Download
memory/4584-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4584-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4984-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4984-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4992-0-0x0000000075380000-0x0000000075470000-memory.dmp

Filesize
960KB

Download
memory/4992-5-0x0000000075380000-0x0000000075470000-memory.dmp

Filesize
960KB

Download
memory/4992-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads