9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874

General

Target

9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe
Size

277KB
MD5

922b5441bfe0e1ca82dea43422b364fd
SHA1

78cca8fee6129d2b88592178c5a092072d6f5401
SHA256

9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874
SHA512

e308ba5a17e5f0542c8e0f972c7eccd943b9db21404067ddaa698566f721b3af48dc7bb39f2afd0c4dbdf75f16893a147260fca9664b656648e9df998d79ea08
SSDEEP

6144:WlFq4VAyuwkK9afJ8Qn0WPP1o5G9gxToJgJCY+AzBlkitfqqK8SlmIqy1GJ:WlFzVdZk+afWaQG9MToiJC1Aw0LyUJ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4056	0.exe
4352	0.exe
2264	0.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4352-139-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4352-143-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4352-145-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral2/memory/4352-152-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4056 set thread context of 4352	4056	0.exe	84
PID 4056 set thread context of 0	4056	0.exe
PID 4352 set thread context of 2264	4352	0.exe	85

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4056	0.exe
4352	0.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 4056	4780	9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe	81
PID 4780 wrote to memory of 4056	4780	9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe	81
PID 4780 wrote to memory of 4056	4780	9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe	81
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 4352	4056	0.exe	84
PID 4056 wrote to memory of 0	4056	0.exe
PID 4056 wrote to memory of 0	4056	0.exe
PID 4056 wrote to memory of 0	4056	0.exe
PID 4056 wrote to memory of 0	4056	0.exe
PID 4056 wrote to memory of 0	4056	0.exe
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85
PID 4352 wrote to memory of 2264	4352	0.exe	85

C:\Users\Admin\AppData\Local\Temp\9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe
"C:\Users\Admin\AppData\Local\Temp\9f6ea5446d0c1458267f2821b7b50816b0de77065cbcff741aebab4d6922d874.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe"
      4⤵
      Executes dropped EXE
      PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe

Filesize
652KB

MD5
d47adacf5400fd18d235f856da9ac7cd

SHA1
337d3d98207634140ff1c7ac2084e6672bc26bc7

SHA256
f063593e8efe44f185f13d3f04d78739533fc65c846d05043dba9959577ac6f4

SHA512
c16a6ed00c9a40c0b5d5ed6683a3eedf06752fdbf057b31c72cd51ad55447b368f5483803bd9951ba002ee5c4c791bd39079f1804285f78b5ce1bf4b0207cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe

Filesize
652KB

MD5
d47adacf5400fd18d235f856da9ac7cd

SHA1
337d3d98207634140ff1c7ac2084e6672bc26bc7

SHA256
f063593e8efe44f185f13d3f04d78739533fc65c846d05043dba9959577ac6f4

SHA512
c16a6ed00c9a40c0b5d5ed6683a3eedf06752fdbf057b31c72cd51ad55447b368f5483803bd9951ba002ee5c4c791bd39079f1804285f78b5ce1bf4b0207cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe

Filesize
652KB

MD5
d47adacf5400fd18d235f856da9ac7cd

SHA1
337d3d98207634140ff1c7ac2084e6672bc26bc7

SHA256
f063593e8efe44f185f13d3f04d78739533fc65c846d05043dba9959577ac6f4

SHA512
c16a6ed00c9a40c0b5d5ed6683a3eedf06752fdbf057b31c72cd51ad55447b368f5483803bd9951ba002ee5c4c791bd39079f1804285f78b5ce1bf4b0207cafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0.exe

Filesize
652KB

MD5
d47adacf5400fd18d235f856da9ac7cd

SHA1
337d3d98207634140ff1c7ac2084e6672bc26bc7

SHA256
f063593e8efe44f185f13d3f04d78739533fc65c846d05043dba9959577ac6f4

SHA512
c16a6ed00c9a40c0b5d5ed6683a3eedf06752fdbf057b31c72cd51ad55447b368f5483803bd9951ba002ee5c4c791bd39079f1804285f78b5ce1bf4b0207cafb

Download Submit
memory/0-140-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2264-149-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2264-153-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2264-154-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/4352-139-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4352-143-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4352-145-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4352-152-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4780-132-0x0000000001000000-0x0000000001061000-memory.dmp

Filesize
388KB

Download
memory/4780-144-0x0000000001000000-0x0000000001061000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing