ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef

General

Target

4b72ceffb22961df25fe29ef382135c1.exe
Size

139KB
MD5

4b72ceffb22961df25fe29ef382135c1
SHA1

d4427e586c86ad5ac354226dc9214bfe281901d5
SHA256

ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef
SHA512

d76879fa4d2b4ede8a1a397b047a4e776e8c9b05320f2b3fa9fe4b0db940f0f62a06c8c87a09aa473e8ab8e217ed8b00eec513a2022fc0070291098f0f01daa1
SSDEEP

3072:PnrngFXURgNRurhgZ3NNCbIpNmyuZ0te4aY/GC9bETB5Ldt2193/w:PrgFXUfkY6sH/4aTT2193o

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2668 netsh.exe

pid	process
2668	netsh.exe

Drops startup file 4 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exegjgkor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewvcc.exe	4b72ceffb22961df25fe29ef382135c1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewvcc.exe	4b72ceffb22961df25fe29ef382135c1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewvcc.exe	gjgkor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewvcc.exe	gjgkor.exe

Executes dropped EXE 2 IoCs

Processes:

gjgkor.exegjgkor.exe

pid process

2604 gjgkor.exe
2484 gjgkor.exe
Loads dropped DLL 1 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exe

pid process

3016 4b72ceffb22961df25fe29ef382135c1.exe

pid	process
2604	gjgkor.exe
2484	gjgkor.exe

pid	process
3016	4b72ceffb22961df25fe29ef382135c1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gjgkor.exe4b72ceffb22961df25fe29ef382135c1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\huusgiml = "C:\\Users\\Admin\\AppData\\Local\\gjgkor.exe"	gjgkor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\huusgiml = "C:\\Users\\Admin\\AppData\\Local\\gjgkor.exe"	4b72ceffb22961df25fe29ef382135c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\huusgiml = "C:\\Users\\Admin\\AppData\\Local\\gjgkor.exe"	4b72ceffb22961df25fe29ef382135c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\huusgiml = "C:\\Users\\Admin\\AppData\\Local\\gjgkor.exe"	gjgkor.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exegjgkor.exe

description	pid	process	target process
PID 2164 set thread context of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2604 set thread context of 2484	2604	gjgkor.exe	gjgkor.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4b72ceffb22961df25fe29ef382135c1.exe4b72ceffb22961df25fe29ef382135c1.exegjgkor.exe

description	pid	process	target process
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 2164 wrote to memory of 3016	2164	4b72ceffb22961df25fe29ef382135c1.exe	4b72ceffb22961df25fe29ef382135c1.exe
PID 3016 wrote to memory of 2668	3016	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3016 wrote to memory of 2668	3016	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3016 wrote to memory of 2668	3016	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3016 wrote to memory of 2668	3016	4b72ceffb22961df25fe29ef382135c1.exe	netsh.exe
PID 3016 wrote to memory of 2604	3016	4b72ceffb22961df25fe29ef382135c1.exe	gjgkor.exe
PID 3016 wrote to memory of 2604	3016	4b72ceffb22961df25fe29ef382135c1.exe	gjgkor.exe
PID 3016 wrote to memory of 2604	3016	4b72ceffb22961df25fe29ef382135c1.exe	gjgkor.exe
PID 3016 wrote to memory of 2604	3016	4b72ceffb22961df25fe29ef382135c1.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe
PID 2604 wrote to memory of 2484	2604	gjgkor.exe	gjgkor.exe

C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
"C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
C:\Users\Admin\AppData\Local\Temp\4b72ceffb22961df25fe29ef382135c1.exe
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
3⤵
- Modifies Windows Firewall
PID:2668

C:\Users\Admin\AppData\Local\gjgkor.exe
"C:\Users\Admin\AppData\Local\gjgkor.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\gjgkor.exe
C:\Users\Admin\AppData\Local\gjgkor.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gjgkor.exe
Filesize
92KB

MD5
585b2c1bbb79580d18d94ec1c8634800

SHA1
d36fc2ccd94e38e5bb081d6466e735c8a3f199cc

SHA256
0c2e9f5689d7a9a957fc572bc64994602eeca5f884914bd49060ad7fad7024b7

SHA512
806c3abbaf1eae41f9a4af9a3333d3b345bb266c0d5cc235bdfa338606fe8b70c64031b2e5f887b3ed19dabc0e50149eff9db04c14343815499c74584a9bf8df

Download Submit
\Users\Admin\AppData\Local\gjgkor.exe
Filesize
139KB

MD5
4b72ceffb22961df25fe29ef382135c1

SHA1
d4427e586c86ad5ac354226dc9214bfe281901d5

SHA256
ad0a8a3618651472def7cc38d504df41e80ffc846f46fa335340cdd4484d73ef

SHA512
d76879fa4d2b4ede8a1a397b047a4e776e8c9b05320f2b3fa9fe4b0db940f0f62a06c8c87a09aa473e8ab8e217ed8b00eec513a2022fc0070291098f0f01daa1

Download Submit
memory/2164-18-0x0000000001F40000-0x0000000001F50000-memory.dmp

Filesize
64KB

Download
memory/2164-15-0x0000000001F40000-0x0000000001F50000-memory.dmp

Filesize
64KB

Download
memory/2164-17-0x0000000001F40000-0x0000000001F50000-memory.dmp

Filesize
64KB

Download
memory/2484-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-77-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-82-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-81-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-80-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-79-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-78-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-76-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-75-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-69-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-74-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-71-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-72-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2604-58-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/2604-57-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/3016-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-27-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-37-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-14-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3016-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads