ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42

General

Target

KY6mW.exe
Size

940KB
MD5

91465c291a92591087e70caa0d4c3370
SHA1

345fba0f611a59ddd30a8c87f793a80fbf82c50e
SHA256

ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
SHA512

d39d5256b4db45e8a5901a96341e2ca8e5f3dafa2b426227a1fe76f6268f8b2ca59a2c5ce332ea2f70a15287ae9a2703ca52c22dacd8beed54e0786f2b70a762

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3796	smss.com
3772	smss.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	KY6mW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	KY6mW.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3612	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3796	smss.com
3796	smss.com
3796	smss.com
3772	smss.com
3772	smss.com
3772	smss.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3796	smss.com
3796	smss.com
3796	smss.com
3772	smss.com
3772	smss.com
3772	smss.com

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 3828	3044	KY6mW.exe	67
PID 3044 wrote to memory of 3828	3044	KY6mW.exe	67
PID 3044 wrote to memory of 3828	3044	KY6mW.exe	67
PID 3828 wrote to memory of 3872	3828	cmd.exe	69
PID 3828 wrote to memory of 3872	3828	cmd.exe	69
PID 3828 wrote to memory of 3872	3828	cmd.exe	69
PID 3828 wrote to memory of 3340	3828	cmd.exe	70
PID 3828 wrote to memory of 3340	3828	cmd.exe	70
PID 3828 wrote to memory of 3340	3828	cmd.exe	70
PID 3828 wrote to memory of 3796	3828	cmd.exe	71
PID 3828 wrote to memory of 3796	3828	cmd.exe	71
PID 3828 wrote to memory of 3796	3828	cmd.exe	71
PID 3796 wrote to memory of 3772	3796	smss.com	72
PID 3796 wrote to memory of 3772	3796	smss.com	72
PID 3796 wrote to memory of 3772	3796	smss.com	72
PID 3828 wrote to memory of 3612	3828	cmd.exe	73
PID 3828 wrote to memory of 3612	3828	cmd.exe	73
PID 3828 wrote to memory of 3612	3828	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\KY6mW.exe
"C:\Users\Admin\AppData\Local\Temp\KY6mW.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c MenJA.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c if NOT GOHCSFBB == DESKTOP-QO5QU33 set /p ="M"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode RJar.com V
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
    smss.com V
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com V
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3772
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads