c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff

General

Target

c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
Size

412.4MB
MD5

d70c7c364098ca54e7582e3f27d989ce
SHA1

e8735b1382cb6f8880a09716dfd79262735b8b69
SHA256

c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff
SHA512

8b34d9b1a3cc9cd06dcdc2120d8c960a2ad209c5eaf5772b371eb35588342854ea344eff222680c2ad570be15419fda27943b9bad8c22092b30ea80c4156f648
SSDEEP

98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
956	tasklist.exe
272	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1092	PING.EXE
1328	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	tasklist.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1764	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	26
PID 1240 wrote to memory of 1764	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	26
PID 1240 wrote to memory of 1764	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	26
PID 1240 wrote to memory of 1764	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	26
PID 1240 wrote to memory of 2040	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	32
PID 1240 wrote to memory of 2040	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	32
PID 1240 wrote to memory of 2040	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	32
PID 1240 wrote to memory of 2040	1240	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	32
PID 2040 wrote to memory of 1756	2040	cmd.exe	28
PID 2040 wrote to memory of 1756	2040	cmd.exe	28
PID 2040 wrote to memory of 1756	2040	cmd.exe	28
PID 2040 wrote to memory of 1756	2040	cmd.exe	28
PID 1756 wrote to memory of 956	1756	cmd.exe	30
PID 1756 wrote to memory of 956	1756	cmd.exe	30
PID 1756 wrote to memory of 956	1756	cmd.exe	30
PID 1756 wrote to memory of 956	1756	cmd.exe	30
PID 1756 wrote to memory of 2012	1756	cmd.exe	29
PID 1756 wrote to memory of 2012	1756	cmd.exe	29
PID 1756 wrote to memory of 2012	1756	cmd.exe	29
PID 1756 wrote to memory of 2012	1756	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
"C:\Users\Admin\AppData\Local\Temp\c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\dllhost.exe
  dllhost vfrfgh ningggfdee
  2⤵
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Fox.wks & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:1328

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\find.exe
  find /I /N "avastui.exe"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "imagename eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\PING.EXE
  ping localhost -n 5
  2⤵
  - Runs ping.exe
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif
  Cunt.exe.pif t
  2⤵
  PID:1504
- C:\Windows\SysWOW64\findstr.exe
  findstr /V /R "^xogwVTG$" Karma.wks
  2⤵
  PID:1552
- C:\Windows\SysWOW64\find.exe
  find /I /N "avgui.exe"
  2⤵
  PID:1104
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "imagename eq AVGUI.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
180KB

MD5
fb63eb5d7bf336cbdaaa9750fcf0bce1

SHA1
3518ad0408bba3a7e1f747776e000de133ad4946

SHA256
23bd0a944dbefcb9cdfdb5a14aad077e1cb2534d7af236ecc98bd113498f7877

SHA512
6cb35bfe6efc4a4a03f7ba8b9ecc41c6ada28e5e53d51d1e465fb33e3336eb6a9dd0b065c48d714d785accada608567fdd6fc264bc9c5611a671e6a181ff53d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
59KB

MD5
4c774e94ece198c475b7369efcb1c4c2

SHA1
4152bda9bf021df3a5c25f31ccdf4007e98825c8

SHA256
ba776f53a66f0d4ad7a8a6ee8ef10a1083cc6cabd88668043c0f5d44742b0f97

SHA512
4980a28f28217a0083c2ecdde7fda77b6af1f88cf090ac72698279dda6e2381710e5b84bb1c3786e420dc30b6ac0d84071bfafcc7abd0cb82d28bfabe3550657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fox.wks

Filesize
10KB

MD5
c39714e32d3c98a8a2afd420d527095d

SHA1
5b924df4bb3614a9f1358b8ed0e818277acaccea

SHA256
f2f514c76e7c8411d37ea79c7be6d0dd4024a9ac83e3a5d59acb6480b2a13573

SHA512
df0f89acb6535c144308ff78322416441d2f3f8b83840f4edce3348481ee94402e9b4cb0d7753c0b46db1c0a7f4305539860a2d75c6a54bacb70d53baa2c4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I.wks

Filesize
155KB

MD5
d68df09b9da4055363eb38cfab34cdb0

SHA1
d7f49793f30fea0d5784fa40cdba829b29d21bba

SHA256
51f6ab70adeb2cc19a97c4c7b9c613e3ea14743e960f66279ee1cdd5986bac49

SHA512
d93c911111d93d9feb3629016a91a68c218df690aec7e604d60413b99aba3bef04ef9536a2a143450faf01930677a267fafd07a72495f8b019e1d1f273a3c6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Karma.wks

Filesize
268KB

MD5
0cf1945009fc22975237cf38482963fb

SHA1
09ae27cdf7ee8adfbb9d55133e6e8b4429e416ce

SHA256
ef72ac0a81ee45883a28ddb221bfdee29cdd62a577e83a54d80501413ae3d5ff

SHA512
032b6b4adc1f1b15898ac767e5d697860b3a6f0d4340e68511452b81865dc38b8702671ae4b4c157a22efb0ec2b40b6086ad0e4944ad0f3510470a9579e2cbeb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
181KB

MD5
2688c8b3ca571559dacab15f822e40a7

SHA1
5fb0f38d2452021968664546acc02d72f6636e33

SHA256
b7f68361ec46cf1839a6d7c9c72600fb06ee2318634537ebf2f565fa08cb475b

SHA512
c26b4e4a861f6fe3845e2997e4e0b82e30120babfa9aaad3c4a0b8f9134d781c032c83c8350f351ec93e51dcbe96b8af09ee071d0c8d24a07dcb4f86d8c19a24

Download Submit
memory/1504-69-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing