af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6

General

Target

af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe
Size

143KB
MD5

668f2fdfd29e37014dbe44301d40ca29
SHA1

b1a6102631f0ea6e786064af3c2931ae1df5c0fc
SHA256

af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6
SHA512

53c2f0ba3f18d58bd534be04f46c28ccc4a3d71b94f15bbd0a88a919ed91ab959b64bb67991a65d8a2789a98780a65878ff1ae1f306443a546b0ab50c1bc88f6
SSDEEP

3072:BN6ZlSa+Ncq6/H5BruHKeLGlKIGL0Tj3I5skgY912vFqQGyhRci+fs:BylSx4OqeLMKIPISo2X6iZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
988	move.exe

Loads dropped DLL 3 IoCs

pid	Process
1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe
1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe
988	move.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
988	move.exe
988	move.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 1768 wrote to memory of 988	1768	af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe	27
PID 988 wrote to memory of 1388	988	move.exe	15
PID 988 wrote to memory of 1388	988	move.exe	15
PID 988 wrote to memory of 1388	988	move.exe	15
PID 988 wrote to memory of 1388	988	move.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe
  "C:\Users\Admin\AppData\Local\Temp\af65a444d09523f745155c0f092e5e90b6092aebe6277e7353e68507714571a6.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe

Filesize
45KB

MD5
ede618f02098fbaedc921a4cc64f6528

SHA1
aa125a98579626b28d5edf6eef064a31e24d6e47

SHA256
b7d06cd6707dba231fcf4eba1cf71b176e26dc8c876cf1e86347cad53ff04adc

SHA512
1096877cde24f65da967134b4ad8070b1fcf3c5087b870fec70338fed37c141717204a4a0028c6749282b1d14b57fdc9bf159f6d4e38e901e60e143baea6640e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe

Filesize
45KB

MD5
ede618f02098fbaedc921a4cc64f6528

SHA1
aa125a98579626b28d5edf6eef064a31e24d6e47

SHA256
b7d06cd6707dba231fcf4eba1cf71b176e26dc8c876cf1e86347cad53ff04adc

SHA512
1096877cde24f65da967134b4ad8070b1fcf3c5087b870fec70338fed37c141717204a4a0028c6749282b1d14b57fdc9bf159f6d4e38e901e60e143baea6640e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe

Filesize
45KB

MD5
ede618f02098fbaedc921a4cc64f6528

SHA1
aa125a98579626b28d5edf6eef064a31e24d6e47

SHA256
b7d06cd6707dba231fcf4eba1cf71b176e26dc8c876cf1e86347cad53ff04adc

SHA512
1096877cde24f65da967134b4ad8070b1fcf3c5087b870fec70338fed37c141717204a4a0028c6749282b1d14b57fdc9bf159f6d4e38e901e60e143baea6640e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe

Filesize
45KB

MD5
ede618f02098fbaedc921a4cc64f6528

SHA1
aa125a98579626b28d5edf6eef064a31e24d6e47

SHA256
b7d06cd6707dba231fcf4eba1cf71b176e26dc8c876cf1e86347cad53ff04adc

SHA512
1096877cde24f65da967134b4ad8070b1fcf3c5087b870fec70338fed37c141717204a4a0028c6749282b1d14b57fdc9bf159f6d4e38e901e60e143baea6640e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\move.exe

Filesize
45KB

MD5
ede618f02098fbaedc921a4cc64f6528

SHA1
aa125a98579626b28d5edf6eef064a31e24d6e47

SHA256
b7d06cd6707dba231fcf4eba1cf71b176e26dc8c876cf1e86347cad53ff04adc

SHA512
1096877cde24f65da967134b4ad8070b1fcf3c5087b870fec70338fed37c141717204a4a0028c6749282b1d14b57fdc9bf159f6d4e38e901e60e143baea6640e

Download Submit
memory/988-67-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/988-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/988-71-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/988-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1388-68-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1768-62-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/1768-63-0x0000000000170000-0x00000000001A7000-memory.dmp

Filesize
220KB

Download
memory/1768-64-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1768-65-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-73-0x0000000001000000-0x0000000001037000-memory.dmp

Filesize
220KB

Download
memory/1768-74-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing