d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d

General

Target

d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe
Size

281KB
MD5

0b2acc83bd445e0677b07dbea14b2dc6
SHA1

0d9937122e3809fecd3d57b065490f6b0d5ba255
SHA256

d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d
SHA512

2c4eecb45422ef1999bc4f01719e90b8572ace3a486813a7dc876e502a7b7249dac717e51a188133acb6fc5804f2fefdeb572f0aace50369e1fd1cce57721cd2
SSDEEP

6144:uW2+8gSak3mOnfgljXDbmYnG9uwHUtZOpMcEnxXMM9cT:wak2aglDDC97McEqsk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
112	¸´¼þ1~1.EXE
944	26407.exe

Loads dropped DLL 2 IoCs

pid	Process
1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe
1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smess.dll	26407.exe
File opened for modification	C:\Windows\SysWOW64\smess.dll	26407.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\26407.exe	¸´¼þ1~1.EXE
File created	C:\Windows\killme.bat	¸´¼þ1~1.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE
112	¸´¼þ1~1.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeBackupPrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeBackupPrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeBackupPrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe
Token: SeRestorePrivilege	944	26407.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
112	¸´¼þ1~1.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 112	1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe	21
PID 1676 wrote to memory of 112	1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe	21
PID 1676 wrote to memory of 112	1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe	21
PID 1676 wrote to memory of 112	1676	d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe	21
PID 112 wrote to memory of 944	112	¸´¼þ1~1.EXE	29
PID 112 wrote to memory of 944	112	¸´¼þ1~1.EXE	29
PID 112 wrote to memory of 944	112	¸´¼þ1~1.EXE	29
PID 112 wrote to memory of 944	112	¸´¼þ1~1.EXE	29
PID 112 wrote to memory of 2044	112	¸´¼þ1~1.EXE	30
PID 112 wrote to memory of 2044	112	¸´¼þ1~1.EXE	30
PID 112 wrote to memory of 2044	112	¸´¼þ1~1.EXE	30
PID 112 wrote to memory of 2044	112	¸´¼þ1~1.EXE	30
PID 944 wrote to memory of 1144	944	26407.exe	34
PID 944 wrote to memory of 1144	944	26407.exe	34
PID 944 wrote to memory of 1144	944	26407.exe	34
PID 944 wrote to memory of 1144	944	26407.exe	34

C:\Users\Admin\AppData\Local\Temp\d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe
"C:\Users\Admin\AppData\Local\Temp\d11c63f12ba811ef1c9b2e644dc6cb3acb095be07778ea6d32796dca95b9039d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\26407.exe
    C:\Windows\26407.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del C:\Windows\26407.exe
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\killme.bat
    3⤵
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE

Filesize
42KB

MD5
f9608965dbd0d9fe74082f243aa5780e

SHA1
e83ee5c81c8794274a86b73f88978073e0c3e59c

SHA256
abe950580943acfb4f15892ff0d8ec282a00214e13aaed122cd3a87fc9272ee6

SHA512
19420b9a4e15595488096d06ce9fe52ac2de98fd0859f10f302db71d8752d6063e5cbea13633b409d94da9c121d4bc3e4289db27f19134aa8d7da313dc08910e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.exe

Filesize
25KB

MD5
adf38e3ca2348519eb4e72f580fb102c

SHA1
d16daec9d18ed1d542cea899f0bd516de8557418

SHA256
0204dad069416a89ce2f5549a8868693feba1c897d8b02e5a6cc2e2d4c582c9b

SHA512
9d68c58af8fda3dbd2ef1ad4606956dcdf27934cad6cede4e52e119aeb09a32e2cf5f7ffa2e5d7db32cd497f0d64b4c91c89122f5bf7ad2adf0d0933ac5ca24a

Download Submit
C:\Windows\26407.exe

Filesize
37KB

MD5
41ecb77e0f20f261ad9f9050fa0565c4

SHA1
d590c410a699020b496d93dee753d176b277b194

SHA256
7177caaba7162bbf235e9f5ade9a1c51e8493cbbfc273ca80efb43850de25d3b

SHA512
6983c4d81edea018ae37d2717a8b2d5073147ce96299cffd83919a6fbbe40815973a955c0f134818ebe8a38c7024f005bd97c80556ded26f5a013ab341a4405e

Download Submit
C:\Windows\26407.exe

Filesize
46KB

MD5
f6575523863275017ce1dcf69dc5e9c3

SHA1
c7394bb8fabb59a82fec277bbf080cb9c093f1bb

SHA256
a6b4d588543ff60c901b484b6f8ff606d9e2b1a0f82bcb7fcdca1de7b0aeabbb

SHA512
95f978d32dc07e55d2ee8bae76ddb046f0a7ae4cacc69de94c0feac32357eaacba2dd307952e63535c06c710caef5871bd70f985fd3673d830de953fd323c631

Download Submit
C:\Windows\killme.bat

Filesize
115B

MD5
bfb203332d48031b5ac75a07ca5e95e0

SHA1
e1eeae4a0c728763c3ee0f5929a35f65d13785c9

SHA256
c3bf0f19dbd912fb49603072ad7ee51317215c74376b8470fefdf70c11786d4d

SHA512
7e39a05fdf1425e15febdef47529ced477bb9f07d4ea581cf47a50adda9751deeba3272ffd976f71a18e32fa281942b7dc1c813921375646a5c336b3bafb296e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE

Filesize
58KB

MD5
0bfa3b14f098bbbb8957868cc9e45343

SHA1
ba8b52efa3b5618e6ab412171e848555d4014df7

SHA256
73e10759ecfe299f706ad2328b9dbc801bd3c5bd5019ee3af769d62efc0db4c7

SHA512
9d3cbf9ea8b64611f2de7f38f55511566b67d20e6350dbf222de9c1dbba1bbc07aae9272ae1921852e14e333dc13ad46c02c3c3e4f59f49f29e37bb39b83d89d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\¸´¼þ1~1.EXE

Filesize
45KB

MD5
388f84ff8c28d289b87e1bd61a45f76a

SHA1
6ccbdf53c999ab757228b616977615b200360e54

SHA256
3b9c49ae18468144b29186f07de7d1d49f3fa793c06cf1a0c80c12ce2a40ace8

SHA512
e58ee3f98b64d82baea1b29f58aa1510e4bfb827c575165bf18ac96663abfe0d87b33c51fbcbdcdf297bc6a6d4c082858179092fad3d3f803177f9420164bbd5

Download Submit
memory/112-63-0x0000000000400000-0x000000000040BBA5-memory.dmp

Filesize
46KB

Download
memory/112-67-0x0000000000400000-0x000000000040BBA5-memory.dmp

Filesize
46KB

Download
memory/944-69-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/944-71-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1676-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1676-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing