c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c

General

Target

c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
Size

93KB
MD5

b486acaf73be12bc150b8061da425021
SHA1

96222cebd14c48ccf38457c51ee8839834f40993
SHA256

c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c
SHA512

2b20c53f9af583ad4c45bb814418ecb888496642ed5ffb7802e5a2b0377b73d04fdfa52a7f4f8fa5f4682ea6b826cdaebe29ec0453e0a508815be5c5d0244b1e
SSDEEP

1536:/5neEhlcTW5sk1jtf2XvWINndIcN6J/ms5g7f6HZdFsiu3DspESE0O:Bnj9jtfU+INndIc0J35iYZdFZpESE0O

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	logger.exe

Loads dropped DLL 3 IoCs

pid	Process
1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
1448	logger.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\taskmgr.exe = "C:\\windows\\system32\\krsr\\taskmgr.exe"	logger.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	logger.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\krsr\taskmgr.exe	logger.exe
File opened for modification	C:\windows\SysWOW64\krsr\taskmgr.exe	logger.exe
File opened for modification	\??\c:\windows\SysWOW64\krsr\resim.jpg	logger.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	logger.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	logger.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	logger.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	logger.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28
PID 1372 wrote to memory of 1448	1372	c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe	28

C:\Users\Admin\AppData\Local\Temp\c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe
"C:\Users\Admin\AppData\Local\Temp\c02db454b0f631ac3be7403a5f14eed17991eec4c3927d824a655cabb0421c5c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe

Filesize
36KB

MD5
cb114ac5f3f064b46c71f12e0ca498ed

SHA1
3f7530bf7eb4f00d2015ddd448f16e0916e6a33d

SHA256
1501e16b0b24f6db516e463df8f6e7ebd962c2047c569b532c0933db3a87ac6f

SHA512
aeee195ad0db9c37c43c57f93d4d03f5a1754c14e77986606411f15966fa5ee0957191b597eaa66b491b2c22c3e257760da6398829ac8148ab3f6866924c5854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe

Filesize
36KB

MD5
cb114ac5f3f064b46c71f12e0ca498ed

SHA1
3f7530bf7eb4f00d2015ddd448f16e0916e6a33d

SHA256
1501e16b0b24f6db516e463df8f6e7ebd962c2047c569b532c0933db3a87ac6f

SHA512
aeee195ad0db9c37c43c57f93d4d03f5a1754c14e77986606411f15966fa5ee0957191b597eaa66b491b2c22c3e257760da6398829ac8148ab3f6866924c5854

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe

Filesize
36KB

MD5
cb114ac5f3f064b46c71f12e0ca498ed

SHA1
3f7530bf7eb4f00d2015ddd448f16e0916e6a33d

SHA256
1501e16b0b24f6db516e463df8f6e7ebd962c2047c569b532c0933db3a87ac6f

SHA512
aeee195ad0db9c37c43c57f93d4d03f5a1754c14e77986606411f15966fa5ee0957191b597eaa66b491b2c22c3e257760da6398829ac8148ab3f6866924c5854

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe

Filesize
36KB

MD5
cb114ac5f3f064b46c71f12e0ca498ed

SHA1
3f7530bf7eb4f00d2015ddd448f16e0916e6a33d

SHA256
1501e16b0b24f6db516e463df8f6e7ebd962c2047c569b532c0933db3a87ac6f

SHA512
aeee195ad0db9c37c43c57f93d4d03f5a1754c14e77986606411f15966fa5ee0957191b597eaa66b491b2c22c3e257760da6398829ac8148ab3f6866924c5854

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\logger.exe

Filesize
36KB

MD5
cb114ac5f3f064b46c71f12e0ca498ed

SHA1
3f7530bf7eb4f00d2015ddd448f16e0916e6a33d

SHA256
1501e16b0b24f6db516e463df8f6e7ebd962c2047c569b532c0933db3a87ac6f

SHA512
aeee195ad0db9c37c43c57f93d4d03f5a1754c14e77986606411f15966fa5ee0957191b597eaa66b491b2c22c3e257760da6398829ac8148ab3f6866924c5854

Download Submit
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1372-64-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1448-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1448-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing