c7cc67bd019e049c62342206f2d2a7af46fc58a950d1ff1db958d7c09290b6df

General

Target

185a2ca1884de3983a525cdd7104daa0.exe
Size

267KB
MD5

185a2ca1884de3983a525cdd7104daa0
SHA1

131969f13c3e141e660aa219e90a78a07d390151
SHA256

c7cc67bd019e049c62342206f2d2a7af46fc58a950d1ff1db958d7c09290b6df
SHA512

eaa875e55522050870bb2742ee261f3efbb46448c5d3c8cb63c4ad60748bf17d6fa16e9f841d92a4c78f90c2b9f5bf6dcd7be232c07b7d753cd29c8baadd48e5
SSDEEP

6144:KxZaCYILHJne0fIJQsSWUhM8CBesCbYE/o/G+O:K9YILH9yQLBhJCdKzg/G7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2100	f55MiVIY0kwAU92.exe

Executes dropped EXE 2 IoCs

pid	Process
3040	f55MiVIY0kwAU92.exe
2100	f55MiVIY0kwAU92.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	185a2ca1884de3983a525cdd7104daa0.exe
2028	185a2ca1884de3983a525cdd7104daa0.exe
2028	185a2ca1884de3983a525cdd7104daa0.exe
3040	f55MiVIY0kwAU92.exe
2100	f55MiVIY0kwAU92.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\QTWZw1vidP3N = "C:\\ProgramData\\fgFbR27rWExrdHdf\\f55MiVIY0kwAU92.exe"	185a2ca1884de3983a525cdd7104daa0.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3040 set thread context of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 2100 set thread context of 2676	2100	f55MiVIY0kwAU92.exe	25

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 3008 wrote to memory of 2028	3008	185a2ca1884de3983a525cdd7104daa0.exe	14
PID 2028 wrote to memory of 3040	2028	185a2ca1884de3983a525cdd7104daa0.exe	19
PID 2028 wrote to memory of 3040	2028	185a2ca1884de3983a525cdd7104daa0.exe	19
PID 2028 wrote to memory of 3040	2028	185a2ca1884de3983a525cdd7104daa0.exe	19
PID 2028 wrote to memory of 3040	2028	185a2ca1884de3983a525cdd7104daa0.exe	19
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 3040 wrote to memory of 2100	3040	f55MiVIY0kwAU92.exe	18
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25
PID 2100 wrote to memory of 2676	2100	f55MiVIY0kwAU92.exe	25

C:\Users\Admin\AppData\Local\Temp\185a2ca1884de3983a525cdd7104daa0.exe
"C:\Users\Admin\AppData\Local\Temp\185a2ca1884de3983a525cdd7104daa0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\ProgramData\fgFbR27rWExrdHdf\f55MiVIY0kwAU92.exe
  "C:\ProgramData\fgFbR27rWExrdHdf\f55MiVIY0kwAU92.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3040

C:\Users\Admin\AppData\Local\Temp\185a2ca1884de3983a525cdd7104daa0.exe
"C:\Users\Admin\AppData\Local\Temp\185a2ca1884de3983a525cdd7104daa0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

C:\ProgramData\fgFbR27rWExrdHdf\f55MiVIY0kwAU92.exe
"C:\ProgramData\fgFbR27rWExrdHdf\f55MiVIY0kwAU92.exe"
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files (x86)\Windows Media Player\wmpconfig.exe
  "C:\Program Files (x86)\Windows Media Player\wmpconfig.exe" /i:2100
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2028-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2100-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2100-34-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2676-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-44-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2676-47-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3008-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3040-30-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads