3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2

General

Target

3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe
Size

548KB
MD5

07094a144c34fe256bf714e426124fd1
SHA1

63c92535832af65ff79724e25ad40777b760f80b
SHA256

3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2
SHA512

83897a30066facc4cc1bd1707569b2b5e5ee583ba6ddf11f9d26a0c77ebdae9d57d634d8dcf2443a0a4fa880ac81dba03feb9dd79f493e2ab30c0540cf52a829
SSDEEP

12288:9rzprEwtZiLF3Z4mxxuuxm1EZi9XxF9E2AGt:9JXviLQmXlw1wi9D9E2A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3756	4.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wvcskg\Parameters\ServiceDll = "%SystemRoot%\\System32\\wwtkvu.dll"	4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\wvcskg\Parameters\ServiceDll = "%SystemRoot%\\System32\\wwtkvu.dll"	4.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\wvcskg\Parameters\ServiceDll = "%SystemRoot%\\System32\\wwtkvu.dll"	4.exe

Loads dropped DLL 2 IoCs

pid	Process
3756	4.exe
4216	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0004c7cb.ini	4.exe
File created	C:\Windows\SysWOW64\wwtkvu.dll	4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4216	svchost.exe
4216	svchost.exe
4216	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3756	4916	3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe	81
PID 4916 wrote to memory of 3756	4916	3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe	81
PID 4916 wrote to memory of 3756	4916	3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe	81

C:\Users\Admin\AppData\Local\Temp\3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe
"C:\Users\Admin\AppData\Local\Temp\3e9d90a72fa056b8c548a4d8ec46e3b79b179f2257010fd22ad557184113dcf2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k wvcskg
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
66KB

MD5
97c5f97c0019d01a7f0a1a6a6c7f02dd

SHA1
e28c76315189afb59cf497a57995e9143a3029aa

SHA256
2a76aa986c669ea7ca813655e8d934fb3e18db65a691400aec67adfd6bae6d97

SHA512
f52e2c82c1b6504eb4fbcf13a05ed93c4d5d94f8a9b7426aa213fce5692f87a5e1ef3d2b11d730c14eef7728bc4e4dad3a3adf51aaa53d74a21e8bb25150da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
66KB

MD5
97c5f97c0019d01a7f0a1a6a6c7f02dd

SHA1
e28c76315189afb59cf497a57995e9143a3029aa

SHA256
2a76aa986c669ea7ca813655e8d934fb3e18db65a691400aec67adfd6bae6d97

SHA512
f52e2c82c1b6504eb4fbcf13a05ed93c4d5d94f8a9b7426aa213fce5692f87a5e1ef3d2b11d730c14eef7728bc4e4dad3a3adf51aaa53d74a21e8bb25150da33

Download Submit
C:\Windows\SysWOW64\wwtkvu.dll

Filesize
93KB

MD5
a5a64851cc962bdeaab15153956d8596

SHA1
2412182e972558850254085c76da369644a617cd

SHA256
415906b2d0b2443adc11ef7ee455b649238650af218a907949b3bd205922b77b

SHA512
842b848749ecf38fd15db69117c9845280d1d24d8b5f1a9ee8f0338ca0a094f22535ebe380196cdf3317ecd954bf2eaf93e305217ce0e3089c43125c502f9cc0

Download Submit
C:\Windows\SysWOW64\wwtkvu.dll

Filesize
93KB

MD5
a5a64851cc962bdeaab15153956d8596

SHA1
2412182e972558850254085c76da369644a617cd

SHA256
415906b2d0b2443adc11ef7ee455b649238650af218a907949b3bd205922b77b

SHA512
842b848749ecf38fd15db69117c9845280d1d24d8b5f1a9ee8f0338ca0a094f22535ebe380196cdf3317ecd954bf2eaf93e305217ce0e3089c43125c502f9cc0

Download Submit
\??\c:\windows\SysWOW64\wwtkvu.dll

Filesize
93KB

MD5
a5a64851cc962bdeaab15153956d8596

SHA1
2412182e972558850254085c76da369644a617cd

SHA256
415906b2d0b2443adc11ef7ee455b649238650af218a907949b3bd205922b77b

SHA512
842b848749ecf38fd15db69117c9845280d1d24d8b5f1a9ee8f0338ca0a094f22535ebe380196cdf3317ecd954bf2eaf93e305217ce0e3089c43125c502f9cc0

Download Submit
memory/3756-133-0x0000000000000000-mapping.dmp

Download
memory/3756-136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3756-140-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4916-132-0x0000000001000000-0x0000000001089000-memory.dmp

Filesize
548KB

Download
memory/4916-141-0x0000000001000000-0x0000000001089000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads