73d0fe702dd8247f22bc3dd90e16bc5f63184d4f4a40f6e27ed51c90cd788210

General

Target

774969016d238e1c31940d610b0f051c.exe
Size

120KB
MD5

774969016d238e1c31940d610b0f051c
SHA1

f01b1fc0995c9924b258deac369bbae1199f9dbe
SHA256

73d0fe702dd8247f22bc3dd90e16bc5f63184d4f4a40f6e27ed51c90cd788210
SHA512

e77d97dd73f6a1e81d74e31022704041366bd5247cfafe75a6c89500a278ca2a0225bdde523011ad6b1818a57d2737cc60457d77d58edfc83e8b293e90449e75
SSDEEP

1536:NIdcFLZp0dsrYgdRAgH0/m38wIJVOy2JDVhCK8:NIdcFLEdskgrt05bnwhVh6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3624	idemoodp0cetka.exe
4852	idemoodp0cetka.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	774969016d238e1c31940d610b0f051c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe"	774969016d238e1c31940d610b0f051c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 3624 set thread context of 4852	3624	idemoodp0cetka.exe	93

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4428	774969016d238e1c31940d610b0f051c.exe
3624	idemoodp0cetka.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 4428 wrote to memory of 5060	4428	774969016d238e1c31940d610b0f051c.exe	87
PID 5060 wrote to memory of 3624	5060	774969016d238e1c31940d610b0f051c.exe	90
PID 5060 wrote to memory of 3624	5060	774969016d238e1c31940d610b0f051c.exe	90
PID 5060 wrote to memory of 3624	5060	774969016d238e1c31940d610b0f051c.exe	90
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93
PID 3624 wrote to memory of 4852	3624	idemoodp0cetka.exe	93

C:\Users\Admin\AppData\Local\Temp\774969016d238e1c31940d610b0f051c.exe
"C:\Users\Admin\AppData\Local\Temp\774969016d238e1c31940d610b0f051c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\774969016d238e1c31940d610b0f051c.exe
  "C:\Users\Admin\AppData\Local\Temp\774969016d238e1c31940d610b0f051c.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
    "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe
      "C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"
      4⤵
      Executes dropped EXE
      PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe

Filesize
120KB

MD5
774969016d238e1c31940d610b0f051c

SHA1
f01b1fc0995c9924b258deac369bbae1199f9dbe

SHA256
73d0fe702dd8247f22bc3dd90e16bc5f63184d4f4a40f6e27ed51c90cd788210

SHA512
e77d97dd73f6a1e81d74e31022704041366bd5247cfafe75a6c89500a278ca2a0225bdde523011ad6b1818a57d2737cc60457d77d58edfc83e8b293e90449e75

Download Submit
memory/3624-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4428-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4428-6-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4852-32-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-29-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-38-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-37-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-26-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-36-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-30-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-31-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-35-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-33-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4852-34-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5060-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5060-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5060-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5060-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads