f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174

General

Target

f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe
Size

192KB
MD5

6042db3e9e1f5addf7967395e10650ef
SHA1

22c75b185e69831b94a4902dcc57e55eb72083ac
SHA256

f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174
SHA512

25918b60ea7aa49d51b6abf3a671399335eacd9cb5db9b6551826ba71ad4297c4409dcf815ce72c15aa1dd426207551042c76d03880f6e0aaed76fa78af35448
SSDEEP

3072:T4bdx7JIo+HNjpMEDJMdR/dBFOcYFbsJpPMTsuZfh:8JMo4iENKzpYFgJpPMwuZ5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1276	nxxdpf.exe

Deletes itself 1 IoCs

pid	Process
1352	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	cmd.exe
1352	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lpzcw\\command	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\lpzcw	nxxdpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\lpzcw	nxxdpf.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
276	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1352	1600	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	27
PID 1600 wrote to memory of 1352	1600	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	27
PID 1600 wrote to memory of 1352	1600	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	27
PID 1600 wrote to memory of 1352	1600	f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe	27
PID 1352 wrote to memory of 1276	1352	cmd.exe	29
PID 1352 wrote to memory of 1276	1352	cmd.exe	29
PID 1352 wrote to memory of 1276	1352	cmd.exe	29
PID 1352 wrote to memory of 1276	1352	cmd.exe	29
PID 1352 wrote to memory of 276	1352	cmd.exe	30
PID 1352 wrote to memory of 276	1352	cmd.exe	30
PID 1352 wrote to memory of 276	1352	cmd.exe	30
PID 1352 wrote to memory of 276	1352	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe
"C:\Users\Admin\AppData\Local\Temp\f29606a222dac3eb2c51876a7ae1dcad383215bbbafbbbc034bb5787ca741174.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ltwgovs.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\nxxdpf.exe
    "C:\Users\Admin\AppData\Local\Temp\nxxdpf.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1276
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ltwgovs.bat

Filesize
124B

MD5
f487c0d05b0bffc4a92645d7bb213633

SHA1
9edc4037aa5214d7350b29e3f8e4d2bf1652a9eb

SHA256
fe7ca85cb30f49a021afdc2df478e9cda3bd4f5b2455448fcc5bad3ae329eb37

SHA512
025c58c88c9c6931a8362de659f5a13e96d12ae87e78f9419a557f1277f714d26e8116da9ddb7f2e68c44031b4f44d62bd03c9af4810794eadc56ea85cbf1d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxxdpf.exe

Filesize
144KB

MD5
66756710121df712b26a9681d270f5cd

SHA1
99748ec15ccde33db267841e4e1fa3fb29b5f0c3

SHA256
cc4d02221ca5195dbb36488527ae21cca8d2889c96928facb6760fc2f240a3b7

SHA512
77ce5da0953b13891341cf59042e1fe0dd04d63472ee2f595daa8b8b4dad82d380da3ee4ab9aad52959fbea9914d356a06feb8cf6ad6e91011a8cb7123b24931

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxxdpf.exe

Filesize
144KB

MD5
66756710121df712b26a9681d270f5cd

SHA1
99748ec15ccde33db267841e4e1fa3fb29b5f0c3

SHA256
cc4d02221ca5195dbb36488527ae21cca8d2889c96928facb6760fc2f240a3b7

SHA512
77ce5da0953b13891341cf59042e1fe0dd04d63472ee2f595daa8b8b4dad82d380da3ee4ab9aad52959fbea9914d356a06feb8cf6ad6e91011a8cb7123b24931

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjaztg.bat

Filesize
188B

MD5
9716ff5024bc13b6f60959d6f46d2d9e

SHA1
c3c7e60a59bda0e2eb3e5005d48e0f4888aea57c

SHA256
46c74eadc6982f1a991ef008383da2e8511ef3eb931e4d75eef68f0d8565e9f3

SHA512
668be30ac792a8a0bfb9db8fcf0f70125fc2022eb7443cd98ca264944d4ba6cf7e0c13ba799293a8f0bccad9d19dff712feac2a4d96c157abaa9b55b5b76ad48

Download Submit
\Users\Admin\AppData\Local\Temp\nxxdpf.exe

Filesize
144KB

MD5
66756710121df712b26a9681d270f5cd

SHA1
99748ec15ccde33db267841e4e1fa3fb29b5f0c3

SHA256
cc4d02221ca5195dbb36488527ae21cca8d2889c96928facb6760fc2f240a3b7

SHA512
77ce5da0953b13891341cf59042e1fe0dd04d63472ee2f595daa8b8b4dad82d380da3ee4ab9aad52959fbea9914d356a06feb8cf6ad6e91011a8cb7123b24931

Download Submit
\Users\Admin\AppData\Local\Temp\nxxdpf.exe

Filesize
144KB

MD5
66756710121df712b26a9681d270f5cd

SHA1
99748ec15ccde33db267841e4e1fa3fb29b5f0c3

SHA256
cc4d02221ca5195dbb36488527ae21cca8d2889c96928facb6760fc2f240a3b7

SHA512
77ce5da0953b13891341cf59042e1fe0dd04d63472ee2f595daa8b8b4dad82d380da3ee4ab9aad52959fbea9914d356a06feb8cf6ad6e91011a8cb7123b24931

Download Submit
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing