637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868

Analysis

max time kernel
152s
max time network
25s
platform
windows7_x64
resource
win7v200722
submitted
31-07-2020 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8f76ef10a7d2493dec6399c4225a73.exe
Size

1.0MB
MD5

5c8f76ef10a7d2493dec6399c4225a73
SHA1

f40891e66c3b6a568a822a6a09868370ea80a3a1
SHA256

637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
SHA512

b244a4e76d4fa9b73008bac323443f0c26e9a6053550c0b7ae174b7434ae4a28f9d2982995ec999c91cfd3945f0a248ee4c95dfd21b20569a8b0bca361f31f0c

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

explorer.comexplorer.com

pid process

1052 explorer.com
1776 explorer.com
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1428 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeexplorer.com

pid process

836 cmd.exe
1052 explorer.com

pid	process
1052	explorer.com
1776	explorer.com

pid	process
1428	powershell.exe

pid	process
836	cmd.exe
1052	explorer.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5c8f76ef10a7d2493dec6399c4225a73.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c8f76ef10a7d2493dec6399c4225a73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c8f76ef10a7d2493dec6399c4225a73.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1532 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

1428 powershell.exe
1428 powershell.exe
1428 powershell.exe
1428 powershell.exe
1428 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1428 powershell.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.comexplorer.com

pid process

1052 explorer.com
1052 explorer.com
1052 explorer.com
1776 explorer.com
1776 explorer.com
1776 explorer.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

explorer.comexplorer.com

pid process

1052 explorer.com
1052 explorer.com
1052 explorer.com
1776 explorer.com
1776 explorer.com
1776 explorer.com

pid	process
1532	PING.EXE

pid	process
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1428	powershell.exe

pid	process
1052	explorer.com
1052	explorer.com
1052	explorer.com
1776	explorer.com
1776	explorer.com
1776	explorer.com

pid	process
1052	explorer.com
1052	explorer.com
1052	explorer.com
1776	explorer.com
1776	explorer.com
1776	explorer.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5c8f76ef10a7d2493dec6399c4225a73.execmd.execmd.exeexplorer.comexplorer.com

description	pid	process	target process
PID 844 wrote to memory of 284	844	5c8f76ef10a7d2493dec6399c4225a73.exe	cmd.exe
PID 844 wrote to memory of 284	844	5c8f76ef10a7d2493dec6399c4225a73.exe	cmd.exe
PID 844 wrote to memory of 284	844	5c8f76ef10a7d2493dec6399c4225a73.exe	cmd.exe
PID 844 wrote to memory of 284	844	5c8f76ef10a7d2493dec6399c4225a73.exe	cmd.exe
PID 284 wrote to memory of 836	284	cmd.exe	cmd.exe
PID 284 wrote to memory of 836	284	cmd.exe	cmd.exe
PID 284 wrote to memory of 836	284	cmd.exe	cmd.exe
PID 284 wrote to memory of 836	284	cmd.exe	cmd.exe
PID 836 wrote to memory of 1056	836	cmd.exe	certutil.exe
PID 836 wrote to memory of 1056	836	cmd.exe	certutil.exe
PID 836 wrote to memory of 1056	836	cmd.exe	certutil.exe
PID 836 wrote to memory of 1056	836	cmd.exe	certutil.exe
PID 836 wrote to memory of 1052	836	cmd.exe	explorer.com
PID 836 wrote to memory of 1052	836	cmd.exe	explorer.com
PID 836 wrote to memory of 1052	836	cmd.exe	explorer.com
PID 836 wrote to memory of 1052	836	cmd.exe	explorer.com
PID 836 wrote to memory of 1532	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1532	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1532	836	cmd.exe	PING.EXE
PID 836 wrote to memory of 1532	836	cmd.exe	PING.EXE
PID 1052 wrote to memory of 1776	1052	explorer.com	explorer.com
PID 1052 wrote to memory of 1776	1052	explorer.com	explorer.com
PID 1052 wrote to memory of 1776	1052	explorer.com	explorer.com
PID 1052 wrote to memory of 1776	1052	explorer.com	explorer.com
PID 844 wrote to memory of 1428	844	5c8f76ef10a7d2493dec6399c4225a73.exe	powershell.exe
PID 844 wrote to memory of 1428	844	5c8f76ef10a7d2493dec6399c4225a73.exe	powershell.exe
PID 844 wrote to memory of 1428	844	5c8f76ef10a7d2493dec6399c4225a73.exe	powershell.exe
PID 844 wrote to memory of 1428	844	5c8f76ef10a7d2493dec6399c4225a73.exe	powershell.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe
PID 1776 wrote to memory of 1580	1776	explorer.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5c8f76ef10a7d2493dec6399c4225a73.exe
"C:\Users\Admin\AppData\Local\Temp\5c8f76ef10a7d2493dec6399c4225a73.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < JvTHWKHzStqcYFOD.com
2⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\certutil.exe
certutil -decode krh.com i
4⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
explorer.com i
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com i
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
PID:1580

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command $egs = (Get-WmiObject win32_process -Filter "processid=$pid").parentprocessid; $wxh = (Get-WmiObject win32_process -Filter "processid=$egs").executablepath; Stop-Process -ID $egs -Force; Start-Sleep -s 1; Remove-Item -path $wxh
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JvTHWKHzStqcYFOD.com
MD5
2dbf9bbfd1d3e67735f0d8ac2b0dccdc

SHA1
558cc91d24904c7c34859be45f6d65233a0fbfa3

SHA256
dbbc71bfcdc96d9861f28e281d8f16263df3e78a4631ad7144a02ae58f07f963

SHA512
de5368593bb2bcca3d85cb697dbe5b0a44406fb8841eab76acd5eab5c6c51c8e6cb0b75c8094b818448997bda2bf5a6217346a263605feed93e9be59628c1751

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpKWlRpqQTmGoYMEl.com
MD5
df6fbc5de331f39be67e2b343ff02083

SHA1
2791147f5aba7d5242d531f0444695b9fecb3c42

SHA256
ccefe3c453a32c04dd03e835879aceae0b96e7d25359dc05a8cfa7a880c21936

SHA512
35e1b55975104e9ddf24fc2842848f63c954f6e69bf8a4df370caaad43ff01f259fbd4e96e45bcbd2287192551afa3df5f9ad8726a3331d80a9c53fa558bf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i
MD5
2609f87a51fbe39d96b4ee195cd40fcf

SHA1
2217c495d6802e945677b78f7bf146b87ade9e7c

SHA256
7e8de7b6e725dcbf19c2195ade1cdce380699f8fc96434619143680df06fcd1c

SHA512
c9482ef0b93cca66f55e63567c6edb5ef1a178b20882dfeee1cd63f0b30ae66e694d7baee7c0088fd48951844f341093762dd66632e374eae5e6436c3373fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\krh.com
MD5
0a3466961c111bb8803a8328e447eb87

SHA1
efe5e51310ee20da01b2e069a28368a64a4c8c3d

SHA256
51cd2d9189b83f8c6f0482ee91463201546bc2577f4a0c8606b269a862772ed9

SHA512
b11e56d2d1ae200c8ea80693461a1d793a4aa75459ced84a3fd1bded1148d0d8b2fec851534f1cc615c6741295ca5fe391da616c208c73a27d4f277a5bed8cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kwWewuDmtROlol.com
MD5
b8af5e00708753a645ddcd8c15597067

SHA1
641a6c29431f0f9c608407b0382533a716aad059

SHA256
3a4489bc5ae1a0ae3fc4383a7cd641b85004c77989275736ee29576d80740e96

SHA512
80c654b75c31740e4b894623346db603591516d1ae47db043ee537e61795994d3742a72e1a95fa7df1f723f842353fca7cfc4acdb468ed4147eeba6f7ec31b87

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/284-0-0x0000000000000000-mapping.dmp

Download
memory/836-2-0x0000000000000000-mapping.dmp

Download
memory/1052-7-0x0000000000000000-mapping.dmp

Download
memory/1056-4-0x0000000000000000-mapping.dmp

Download
memory/1428-16-0x0000000000000000-mapping.dmp

Download
memory/1532-9-0x0000000000000000-mapping.dmp

Download
memory/1580-21-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-19-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-20-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-22-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-266-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-267-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1580-268-0x00000000003C0000-0x00000000121DB000-memory.dmp

Filesize
286.1MB

Download
memory/1776-13-0x0000000000000000-mapping.dmp

Download