8da3135350ff1c3636ba730cbe51f68a63e82093af86cbacbe008dd3a9b3e1a4

General

Target

8cec5a41022f1ecf9adb09218b8421df.exe
Size

128KB
MD5

8cec5a41022f1ecf9adb09218b8421df
SHA1

169ec91aaf53dedd7c0c20826ff98985e76750af
SHA256

8da3135350ff1c3636ba730cbe51f68a63e82093af86cbacbe008dd3a9b3e1a4
SHA512

d7061ac7c8a99d747b247e473db985c4d6ad3e84387d1bd1d03d12d5515a4ffe7784a0d07140732ec0e5aab9186ea3a1d7a15e166f0d2db1ef75b273f0d71033
SSDEEP

1536:gtbk9vLGbDNuy9C3Vmto53WKfD+wCC45AI/YvVyaGh3no8ndUEbVVzREFJ:EbS3Vmto3WKR45BwV/G5nokLbDzEJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3964	bdyny79m.exe
2028	bdyny79m.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ly31bld = "C:\\Users\\Admin\\AppData\\Roaming\\bdyny79m.exe"	8cec5a41022f1ecf9adb09218b8421df.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4112 set thread context of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 3964 set thread context of 2028	3964	bdyny79m.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2588	3964	WerFault.exe	89
3484	4112	WerFault.exe	84

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 4112 wrote to memory of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 4112 wrote to memory of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 4112 wrote to memory of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 4112 wrote to memory of 860	4112	8cec5a41022f1ecf9adb09218b8421df.exe	85
PID 860 wrote to memory of 3964	860	8cec5a41022f1ecf9adb09218b8421df.exe	89
PID 860 wrote to memory of 3964	860	8cec5a41022f1ecf9adb09218b8421df.exe	89
PID 860 wrote to memory of 3964	860	8cec5a41022f1ecf9adb09218b8421df.exe	89
PID 3964 wrote to memory of 2028	3964	bdyny79m.exe	88
PID 3964 wrote to memory of 2028	3964	bdyny79m.exe	88
PID 3964 wrote to memory of 2028	3964	bdyny79m.exe	88
PID 3964 wrote to memory of 2028	3964	bdyny79m.exe	88
PID 3964 wrote to memory of 2028	3964	bdyny79m.exe	88

C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe
"C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe
  C:\Users\Admin\AppData\Local\Temp\8cec5a41022f1ecf9adb09218b8421df.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Roaming\bdyny79m.exe
    C:\Users\Admin\AppData\Roaming\bdyny79m.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 252
      4⤵
      Program crash
      PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 236
  2⤵
  - Program crash
  PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4112 -ip 4112
1⤵
PID:2720

C:\Users\Admin\AppData\Roaming\bdyny79m.exe
C:\Users\Admin\AppData\Roaming\bdyny79m.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3964 -ip 3964
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bdyny79m.exe

Filesize
73KB

MD5
a90e655931d1b51958728b8142b5374e

SHA1
8da49bff7eaa9e63c292fc2a861d7028d8fa874a

SHA256
6c96887fd570c0cc9b2ca2e091a9442dc659a12a8bd23ec6a45b6e3aef459ac1

SHA512
27a9b2a1c3a4d8b1f6f376cea6557d7e890c4147f6b13bd702322f3b8fff6b7ce8f8c4151c56e84f0991ebf454ce848cdba8b2dc2b9ff7db4e4058d4a3a5ffb3

Download Submit
C:\Users\Admin\AppData\Roaming\bdyny79m.exe

Filesize
71KB

MD5
bebbc03f0f0548a4a0c65540642b7b26

SHA1
75e463433f2bf81e3750ced7cc33ae51aa380c79

SHA256
e10a99d6dfbcca1562d19774b202f98a889fa399d76c44a304908c8cde175b35

SHA512
43188900c1dae932d97f4665ca1bb1c32f9e6461f9df73b4a5c2ba6ec630e26f81473b02509ee5b8ff718fd6cf2fa5f42d8a8440eaa1d28e123615765af5a696

Download Submit
C:\Users\Admin\AppData\Roaming\bdyny79m.exe

Filesize
69KB

MD5
9c9d36b588bb1ed8add898363c67651e

SHA1
d949e7e5b750f52c4bbbcf09d9e9ce686790623f

SHA256
3fb794f4c82cc815b33c8ddca0ec6c069f7632fe6b3ff8cf43c28251c46b8826

SHA512
06891e4c4fedd2d3a9e1b335978ea750ae66dec2a4b23e056709957e86afcb42d2e026b3d0bb60d38e3b154a8e5e7b9376a1c32933557c17a049e46891086a92

Download Submit
memory/860-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/860-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads