9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2

General

Target

9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
Size

479KB
MD5

69f43d5ad7967296d2798fe101940870
SHA1

cdf753e090e424c0ae1be096f1d48220f7c2fbad
SHA256

9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2
SHA512

53b9acacdfe53073f8ee0ad6a5dae6c738ee48e00b07dfcff42d0f56811dfa81e60850dc01a7a1cdced7d5cdbecbea998569c9914c9ef38bdb2ba29751011505
SSDEEP

12288:Vu06aQoqE+sbkDE5nmNgY4hEMqNtUxukd9UgeF:VxdQoEsAYmN46Muuxuk8geF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1616	ÖÕ½áÃâÉ±.exe
1716	ÖÕ½áÃâÉ±.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1616	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	28
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29
PID 1948 wrote to memory of 1716	1948	9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe	29

C:\Users\Admin\AppData\Local\Temp\9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe
"C:\Users\Admin\AppData\Local\Temp\9d5395d9c095c1aeae0901861b6949c738704cc408ee2d09c3ab08bd82754bb2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe
  2⤵
  - Executes dropped EXE
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ÖÕ½áÃâÉ±.exe

Filesize
419KB

MD5
1a5a5f057ca2f943475d60724128f06e

SHA1
8cef57435be1b1fdf52dacfb33ce252b3eabfd48

SHA256
c0cdeda726ea1bacb9a0924fba21e372975f0327fd85a3d6845c48c56ac4d20b

SHA512
c8354b3585ad33bbcc78ef020e3ea7f2f49277b868b276d6df2ce1a9ef2c30128de63640f8e1238fb477ff92652b13f19dfa86357441f98d961a9c2f441c1a08

Download Submit
memory/1948-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing