1bb9588fd26b7e497492acd74dc8fe42fc58059e8c42d4e463e4152d80d2719b

General

Target

66880a24978f13e420776c063053a1e1.exe
Size

356KB
MD5

66880a24978f13e420776c063053a1e1
SHA1

71f3e168a521ba92ae19357509fd18864106fc8d
SHA256

1bb9588fd26b7e497492acd74dc8fe42fc58059e8c42d4e463e4152d80d2719b
SHA512

eba0d9f3c01a78fca542354ef610567e956f1854280f683b93c639032d0129f16614feff92db57fdca626ff332c0dcc9cc115a416ec229d38ede0dd477d17718
SSDEEP

6144:7vbx8nj6JlwPJ+Op9IpF/IUj7H1cAI1Pcq/7FSRUQHE:7uj6JlwB+OQhICL1cA+Pdz9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
812	QlUHlkdvC8.exe

Executes dropped EXE 2 IoCs

pid	Process
2028	QlUHlkdvC8.exe
812	QlUHlkdvC8.exe

Loads dropped DLL 4 IoCs

pid	Process
1040	66880a24978f13e420776c063053a1e1.exe
1040	66880a24978f13e420776c063053a1e1.exe
812	QlUHlkdvC8.exe
812	QlUHlkdvC8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E64Gkia2 = "C:\\ProgramData\\lTo1BOiYrmPcj\\QlUHlkdvC8.exe"	66880a24978f13e420776c063053a1e1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 2028 set thread context of 812	2028	QlUHlkdvC8.exe	40
PID 812 set thread context of 2200	812	QlUHlkdvC8.exe	57

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 3728 wrote to memory of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 3728 wrote to memory of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 3728 wrote to memory of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 3728 wrote to memory of 1040	3728	66880a24978f13e420776c063053a1e1.exe	25
PID 1040 wrote to memory of 2028	1040	66880a24978f13e420776c063053a1e1.exe	34
PID 1040 wrote to memory of 2028	1040	66880a24978f13e420776c063053a1e1.exe	34
PID 1040 wrote to memory of 2028	1040	66880a24978f13e420776c063053a1e1.exe	34
PID 2028 wrote to memory of 812	2028	QlUHlkdvC8.exe	40
PID 2028 wrote to memory of 812	2028	QlUHlkdvC8.exe	40
PID 2028 wrote to memory of 812	2028	QlUHlkdvC8.exe	40
PID 2028 wrote to memory of 812	2028	QlUHlkdvC8.exe	40
PID 2028 wrote to memory of 812	2028	QlUHlkdvC8.exe	40
PID 812 wrote to memory of 2200	812	QlUHlkdvC8.exe	57
PID 812 wrote to memory of 2200	812	QlUHlkdvC8.exe	57
PID 812 wrote to memory of 2200	812	QlUHlkdvC8.exe	57
PID 812 wrote to memory of 2200	812	QlUHlkdvC8.exe	57
PID 812 wrote to memory of 2200	812	QlUHlkdvC8.exe	57

C:\Users\Admin\AppData\Local\Temp\66880a24978f13e420776c063053a1e1.exe
"C:\Users\Admin\AppData\Local\Temp\66880a24978f13e420776c063053a1e1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\66880a24978f13e420776c063053a1e1.exe
  "C:\Users\Admin\AppData\Local\Temp\66880a24978f13e420776c063053a1e1.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe
    "C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe
      "C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe"
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" /i:812
        5⤵
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe

Filesize
173KB

MD5
9f7bfaed2190c52c1fd43e55983891b2

SHA1
7707f1a7bb422c9170e3100dd3ccbce1117bc31e

SHA256
358f67f916da7958c1608d0d39fe9bf977bcd066e9b849fd00aadfcd537f137c

SHA512
24109f6a24f0669ebb3feb75493bacafb10f5eeaf4e070ba4de129cddc6a9774237957bff9403c4b4bfdfe54b4199688d04275a56d7e7730dde31593df2cfed0

Download Submit
C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe

Filesize
96KB

MD5
2a2bb82c1283a90f43145b297652a595

SHA1
e28712244bae48c53b1ea2d7ef834db91d593e9d

SHA256
6b36abe75afaae9170dae0458e9465a7bd221b02f695369f3fea1ff3d4737445

SHA512
e94894c3bb52b2489c83cabdc32c5556ce8db0636806867140fc659c52d38478afd93c34d5b7b89d3ef946f60b4a5eb0cdd6870d9e55555769662f5dfbc59b2a

Download Submit
C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe

Filesize
343KB

MD5
ab89772ec90120bb8967efac85f65654

SHA1
9b99072cc4876b75d2d32f90a1f9206d7ca76781

SHA256
95ed0448f222a329e9a3943e6696081d93192a2bc326f3ac425e357147567ecc

SHA512
0de86eb49d32aa80d21be84addf620e68fedc0418e4f5f1d78347158ee90e014147d18dc35bffbffbcce921933378147d903447965dc180d2d6651b5e51eddb0

Download Submit
C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe

Filesize
1KB

MD5
7acf8ed7c1bca64063629a2fe8d1f248

SHA1
49484511d53fd83f0b23ef66a9e40fb4a1e001c3

SHA256
f89ccc91fc905d97b982ee120815c9259508d95fa50730c59af9d8fde616f4ae

SHA512
8eac66cdc81f06bbf7173f975db250dfeadefe1f2e87b184e8a4a7d7e8c46f69d817de30771072c4e92a5db37847bd17e0e6cc0dde162a394dbcefe6c3fa818b

Download Submit
C:\ProgramData\lTo1BOiYrmPcj\QlUHlkdvC8.exe

Filesize
189KB

MD5
a3076107818d3d103bf9b77bb10f9092

SHA1
78ebcc5887f78e592b145706b03a339539da3d14

SHA256
31d8934448edae991856a8751993eb5318d5dc5ce4f03593d771e8d1d503a578

SHA512
0b50aa4ae26b07a6b09d81772b1f296ed1293a895806b0e2c2d9d64c7adb69f629c3b1e98e91805b5973b87defc5743db48f848f18b70bb10baf35e4fed2fe16

Download Submit
C:\ProgramData\lTo1BOiYrmPcj\RCX58CE.tmp

Filesize
297KB

MD5
8b9066d6f3bcdabe1fde589026d740c3

SHA1
11cbf3008acbcb6daf31a8e0f9f3cff47b295478

SHA256
b6079890dcbb188476085d7aefa97e5ae1c003fddef67fbc12f81d418e6fe270

SHA512
2e122931689c3db63d95502905d7fde900d29768851da8a7de374cdb298b5b20dec9ec12836d37448c5591fd3a6d0cff01f672d4d297e770913e8d32b05e3e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2iX5p60AwG6O.exe

Filesize
86KB

MD5
7dcac6bddf27d7683066de16eda660cc

SHA1
d7f8e47d288ae1ee144f8ecaf46e8b608cd0bdb6

SHA256
2edbb142ac6731dd9ae1aba39e0f18a35ddf9c26746f140e82cae2aa83de2795

SHA512
e180c390dbfc17ff9c64c45057b0c2cf84db8fbed12d2d5622c6f2af242e7967423fcf3b3c3617cafcad7e6877dd8654471aca6e4380b37c41da410e7ec70e26

Download Submit
memory/812-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/812-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1040-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-28-0x0000000077260000-0x0000000077350000-memory.dmp

Filesize
960KB

Download
memory/2028-26-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2028-25-0x0000000077260000-0x0000000077350000-memory.dmp

Filesize
960KB

Download
memory/2200-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2200-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3728-5-0x0000000077260000-0x0000000077350000-memory.dmp

Filesize
960KB

Download
memory/3728-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3728-1-0x0000000077260000-0x0000000077350000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads