16975eee0891f39d99601cc61d163911ae9e30aaf194c7f70c67eb02bb66a81e

General

Target

ac006a4066fd3316240b6fe107569209.exe
Size

742KB
MD5

ac006a4066fd3316240b6fe107569209
SHA1

3a9fbfe82f5d259c36104df4206926d7a0cf82ef
SHA256

16975eee0891f39d99601cc61d163911ae9e30aaf194c7f70c67eb02bb66a81e
SHA512

c43ec5ff944f350b8582ffdf2dfa4d6e79013bc79ddc8ce4cd783b24609c496d8cc8004ddfb98bc35656c8014131803d7ebb462bd05e45153f289fb13a4a2201
SSDEEP

12288:rttTYdmKnGcSacTuDC8vidkVSGdNClgYcbRA3telMHpc1WPiML9B7uH04NqK3:BtTYdpSRj8ksQHelMJc1W/pB7eNL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Sua.exe.pif

pid process

944 Sua.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1800 cmd.exe

pid	process
944	Sua.exe.pif

pid	process
1800	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac006a4066fd3316240b6fe107569209.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac006a4066fd3316240b6fe107569209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac006a4066fd3316240b6fe107569209.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

388 PING.EXE
912 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Sua.exe.pif

pid process

944 Sua.exe.pif
944 Sua.exe.pif
944 Sua.exe.pif
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sua.exe.pif

pid process

944 Sua.exe.pif
944 Sua.exe.pif
944 Sua.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sua.exe.pif

pid process

944 Sua.exe.pif
944 Sua.exe.pif
944 Sua.exe.pif

pid	process
388	PING.EXE
912	PING.EXE

pid	process
944	Sua.exe.pif
944	Sua.exe.pif
944	Sua.exe.pif

pid	process
944	Sua.exe.pif
944	Sua.exe.pif
944	Sua.exe.pif

pid	process
944	Sua.exe.pif
944	Sua.exe.pif
944	Sua.exe.pif

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ac006a4066fd3316240b6fe107569209.execmd.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1040	836	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 836 wrote to memory of 1040	836	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 836 wrote to memory of 1040	836	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 836 wrote to memory of 1040	836	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 836 wrote to memory of 1664	836	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 836 wrote to memory of 1664	836	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 836 wrote to memory of 1664	836	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 836 wrote to memory of 1664	836	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 1664 wrote to memory of 1800	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 1800	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 1800	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 1800	1664	cmd.exe	cmd.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 944	1800	cmd.exe	Sua.exe.pif
PID 1800 wrote to memory of 944	1800	cmd.exe	Sua.exe.pif
PID 1800 wrote to memory of 944	1800	cmd.exe	Sua.exe.pif
PID 1800 wrote to memory of 944	1800	cmd.exe	Sua.exe.pif
PID 1800 wrote to memory of 388	1800	cmd.exe	PING.EXE
PID 1800 wrote to memory of 388	1800	cmd.exe	PING.EXE
PID 1800 wrote to memory of 388	1800	cmd.exe	PING.EXE
PID 1800 wrote to memory of 388	1800	cmd.exe	PING.EXE
PID 1664 wrote to memory of 912	1664	cmd.exe	PING.EXE
PID 1664 wrote to memory of 912	1664	cmd.exe	PING.EXE
PID 1664 wrote to memory of 912	1664	cmd.exe	PING.EXE
PID 1664 wrote to memory of 912	1664	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ac006a4066fd3316240b6fe107569209.exe
"C:\Users\Admin\AppData\Local\Temp\ac006a4066fd3316240b6fe107569209.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WerFault.exe
WerFault.exe //////
2⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ora.cda & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^iUwMLwdQGUrlDeCntUResRJVqLgQgginvUHAyFyHCejmYCZZmUaizzbdkyMZNACaMFOJcwznPpAfFpWbMgdzVqtrbsgZTyUwmUMzOfEbBTalToKwoghnppvMBLjrMzFJgnPKbDJ$" Plasmare.cda
4⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Sua.exe.pif a
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:944

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:388

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.cda
Filesize
710KB

MD5
92fcb108844d3e7127dcc7287eb34ad9

SHA1
32fa7ab353e179415fa9bae033d9a58330e7030d

SHA256
5b95309f549121e405f8c45cafbead07348be530d756465306cc325697553946

SHA512
54d52174085bfa019bef204a4622c50467ee5c056777e162d27686922edaeba3180460458c1675b4c2f5c4b70d52842d8d35d9acdafb997c71507a844b8f49b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ora.cda
Filesize
8KB

MD5
1e556573aab916a0da587d261b72f254

SHA1
8ac14add8d4092c1bfaa21bf75f158b00f0f2d0c

SHA256
a3ad93f8f7feece6c972c7a211ecf8670641cea65eb0fa778e9564691523f22b

SHA512
d4f9294b8550c30b4f32b0635a598bd20c15958194e4570827a07b1dd2d9614e7958147338937d606a111ba1b7fdf7e14323259fecf6c4d31096881a5de926f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Plasmare.cda
Filesize
924KB

MD5
8fbc8dfd866fcbcc2ddebd5461d21dcb

SHA1
a9131b4a3bb23748f61fe01b9e361c9523951a2d

SHA256
7f1f6566d5f4cd773d1d8630a72b28df644d5c57f00746c3c542ed5db7d6f114

SHA512
fa79500c67ba2ace40cd2c925c33c1c2625a9f99fbed67b2c1806c511106526b46c154104803d13c5e9a0657cb2e785f0f2f9a9cb305d343ba09b86a4c0ac97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/388-64-0x0000000000000000-mapping.dmp

Download
memory/912-66-0x0000000000000000-mapping.dmp

Download
memory/944-62-0x0000000000000000-mapping.dmp

Download
memory/944-65-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1040-54-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000000000000-mapping.dmp

Download
memory/1716-58-0x0000000000000000-mapping.dmp

Download
memory/1800-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing