193d21917af44dca2a3917f4932f3e61877e5a5e6a9f8b2e7338e2b5d4ba0d88

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
17-11-2020 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6a834577bb0b73aa6ace98a9568d99d.exe
Size

1.0MB
MD5

7beb1980ff04112de36431a6d35e369d
SHA1

1e557eb4af6c48a37899391c01e925960c031883
SHA256

193d21917af44dca2a3917f4932f3e61877e5a5e6a9f8b2e7338e2b5d4ba0d88
SHA512

e3f2aaaedb52c3d05e261d1c8e90503fd69abdc3c7cf53afba4baaa7fba78545a0eb8bfc3830b190a337c3a41f5b06d388af3f9f50aa979b3905ba2c852e2f67

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

explorer.com

description pid process target process

PID 1764 created 1268 1764 explorer.com Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

explorer.comexplorer.com

pid process

1976 explorer.com
1764 explorer.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeexplorer.com

pid process

1692 cmd.exe
1976 explorer.com

description	pid	process	target process
PID 1764 created 1268	1764	explorer.com	Explorer.EXE

pid	process
1976	explorer.com
1764	explorer.com

pid	process
1692	cmd.exe
1976	explorer.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a6a834577bb0b73aa6ace98a9568d99d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a6a834577bb0b73aa6ace98a9568d99d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6a834577bb0b73aa6ace98a9568d99d.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1736 PING.EXE
1732 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

explorer.com

pid process

1764 explorer.com

pid	process
1736	PING.EXE
1732	PING.EXE

pid	process
1764	explorer.com

Suspicious use of WriteProcessMemory 6790 IoCs

Processes:

a6a834577bb0b73aa6ace98a9568d99d.execmd.execmd.exeexplorer.comexplorer.com

description	pid	process	target process
PID 2028 wrote to memory of 1624	2028	a6a834577bb0b73aa6ace98a9568d99d.exe	cmd.exe
PID 2028 wrote to memory of 1624	2028	a6a834577bb0b73aa6ace98a9568d99d.exe	cmd.exe
PID 2028 wrote to memory of 1624	2028	a6a834577bb0b73aa6ace98a9568d99d.exe	cmd.exe
PID 2028 wrote to memory of 1624	2028	a6a834577bb0b73aa6ace98a9568d99d.exe	cmd.exe
PID 1624 wrote to memory of 1692	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1692	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1692	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1692	1624	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1736	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1736	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1736	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1736	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1972	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 1972	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 1972	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 1972	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 1976	1692	cmd.exe	explorer.com
PID 1692 wrote to memory of 1976	1692	cmd.exe	explorer.com
PID 1692 wrote to memory of 1976	1692	cmd.exe	explorer.com
PID 1692 wrote to memory of 1976	1692	cmd.exe	explorer.com
PID 1692 wrote to memory of 1732	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1732	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1732	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1732	1692	cmd.exe	PING.EXE
PID 1976 wrote to memory of 1764	1976	explorer.com	explorer.com
PID 1976 wrote to memory of 1764	1976	explorer.com	explorer.com
PID 1976 wrote to memory of 1764	1976	explorer.com	explorer.com
PID 1976 wrote to memory of 1764	1976	explorer.com	explorer.com
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe
PID 1764 wrote to memory of 956	1764	explorer.com	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

956 attrib.exe

pid	process
956	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\a6a834577bb0b73aa6ace98a9568d99d.exe
"C:\Users\Admin\AppData\Local\Temp\a6a834577bb0b73aa6ace98a9568d99d.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < tivNBahuGkfZnXCDDyWmgCpPTpgnqDftuQ.JbqIMiWExzwXhRzWwzElBXHTstOueVlTIsSuDv
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\PING.EXE
ping -n 1 DuqYAYUt.DuqYAYUt
5⤵
- Runs ping.exe
PID:1736

C:\Windows\SysWOW64\certutil.exe
certutil -decode dTiuhMGXxbGrTyPfEaVSNiuANPcsWAuTgx.pRMcRvaXQRWVHiQtrJIKpNGzns Ta
5⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
explorer.com Ta
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com Ta
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:1732

C:\Windows\SysWOW64\attrib.exe
C:\Windows\SysWOW64\attrib.exe
2⤵
- Views/modifies file attributes
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KupuVeTCyBuoEfimWgZQURoXWzSIuJMcKT.ubxtPHBrXohaUDWzIZQES
MD5
4b370384a4b27ffc655d9f23a8a4cc10

SHA1
110f41471b356424137d086c8cd7e21d13c3be6d

SHA256
b2292b52643af40cf48706f67788bda06299447f29f8dbeab30a2fb48b6681b3

SHA512
5e09298186d02cefa595c322fc04eab435f0eef9ed1f4db8b58e077724293980824b8df7034c518734d37be3c2e733795e400ffd5518345c49c549a9c167187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ta
MD5
36507ca429f4ff3d3612d6b70dd18454

SHA1
2a393327a753fbba7faa66024caba54ff43a7a2a

SHA256
3e360fd119496d5000740ac0c6258ceb6939e9a630a77fcbf5fb6b211a6e8ccc

SHA512
8f5fe3ed8b8fb094f6c300a3665e182958d92f1a670ecd29e4795eabf00304e1b126bd0f2a4ad14d41765abb06e4f1243a20faa899f8da171b39eb2e08b46999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTiuhMGXxbGrTyPfEaVSNiuANPcsWAuTgx.pRMcRvaXQRWVHiQtrJIKpNGzns
MD5
769a411c1cfb4a2453b589a05f0f14f2

SHA1
53a40b0718dd3f410c9413dc69777d5fc8dfcd20

SHA256
9d264bb0f813569daccea73ad336cd700b49de615a3ec79d62df2f575bff062a

SHA512
e76b7fc664abbe1f98ddb57d8507bba3c693ca6e0d6f7433663bff3f972d7ff526961d6047615af0456c8f9b7adb4d2a7992970b1af5264498a3505849b6f886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
e7dbc29175aa7c5a78cf12966aafab20

SHA1
6194bdff440ba264514b88ba124da78553603cc8

SHA256
3073e2e587dd9b13cedaa20401d69f2533d03e1e946f091d8556474b8579e4c5

SHA512
29de405873cb65d23fadee46773e5018de23a2674f35b08cb2db388fe2c39d7667ba9a45764ca98db40cfcfe68a8cc5675d4691d542def2ef3896c72e1193af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
e7dbc29175aa7c5a78cf12966aafab20

SHA1
6194bdff440ba264514b88ba124da78553603cc8

SHA256
3073e2e587dd9b13cedaa20401d69f2533d03e1e946f091d8556474b8579e4c5

SHA512
29de405873cb65d23fadee46773e5018de23a2674f35b08cb2db388fe2c39d7667ba9a45764ca98db40cfcfe68a8cc5675d4691d542def2ef3896c72e1193af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
e7dbc29175aa7c5a78cf12966aafab20

SHA1
6194bdff440ba264514b88ba124da78553603cc8

SHA256
3073e2e587dd9b13cedaa20401d69f2533d03e1e946f091d8556474b8579e4c5

SHA512
29de405873cb65d23fadee46773e5018de23a2674f35b08cb2db388fe2c39d7667ba9a45764ca98db40cfcfe68a8cc5675d4691d542def2ef3896c72e1193af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pzOkPIqYypftcUgppklCEcyHo.PHGBUSmPGkrMvBCjyjuKfDvrSRsGFNhie
MD5
196a547c5ded2b2bf6ccd1db12d51191

SHA1
4bc6dd197eedbe889ecbf550da12954381e3e1e1

SHA256
9f7a58524090bf466870019014ef9b5baad4986e5afd85a835238332a61f7070

SHA512
00281a4423cd32ecdfaceef8549a33853d35ea7f44eaf14712502ec762995d92b5d3897478f9cf46336c15a98a1ecd0356a363099e5690fed3e1593d7d6abef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tivNBahuGkfZnXCDDyWmgCpPTpgnqDftuQ.JbqIMiWExzwXhRzWwzElBXHTstOueVlTIsSuDv
MD5
167d4bc8d258c4f59d1502917fbf743a

SHA1
c06369bf4cc8fc2e3a37840712de1dbb2ea3e7aa

SHA256
1ceb605f07415f1a313377c693cb48e74532cac84ef41edee14af5da08202363

SHA512
be0f742e3fbad0eaf5f3ba2039015f5941a4619054eda051ef541b1c637691c9dc1e86bf5efef419b29a09920d0c384ed9ef8b39dc38035b3100a0cfe4bc0ac2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
e7dbc29175aa7c5a78cf12966aafab20

SHA1
6194bdff440ba264514b88ba124da78553603cc8

SHA256
3073e2e587dd9b13cedaa20401d69f2533d03e1e946f091d8556474b8579e4c5

SHA512
29de405873cb65d23fadee46773e5018de23a2674f35b08cb2db388fe2c39d7667ba9a45764ca98db40cfcfe68a8cc5675d4691d542def2ef3896c72e1193af9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.com
MD5
e7dbc29175aa7c5a78cf12966aafab20

SHA1
6194bdff440ba264514b88ba124da78553603cc8

SHA256
3073e2e587dd9b13cedaa20401d69f2533d03e1e946f091d8556474b8579e4c5

SHA512
29de405873cb65d23fadee46773e5018de23a2674f35b08cb2db388fe2c39d7667ba9a45764ca98db40cfcfe68a8cc5675d4691d542def2ef3896c72e1193af9

Download Submit
memory/956-17-0x0000000000550000-0x000000001236B000-memory.dmp

Filesize
286.1MB

Download
memory/956-18-0x0000000000550000-0x000000001236B000-memory.dmp

Filesize
286.1MB

Download
memory/956-19-0x0000000000550000-0x000000001236B000-memory.dmp

Filesize
286.1MB

Download
memory/956-20-0x0000000000550000-0x000000001236B000-memory.dmp

Filesize
286.1MB

Download
memory/1624-0-0x0000000000000000-mapping.dmp

Download
memory/1692-2-0x0000000000000000-mapping.dmp

Download
memory/1732-10-0x0000000000000000-mapping.dmp

Download
memory/1736-3-0x0000000000000000-mapping.dmp

Download
memory/1764-14-0x0000000000000000-mapping.dmp

Download
memory/1972-5-0x0000000000000000-mapping.dmp

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download