6fd05fb1f26131b5044c2f7661d03bda216f6a8bc88e79dd7a05c53d4b11ce7b

General

Target

3889e19fd1adcb8cbe1a130da861d9f0.exe
Size

2.1MB
MD5

3889e19fd1adcb8cbe1a130da861d9f0
SHA1

f716507d681077b423bcaf1e05648c687a516622
SHA256

6fd05fb1f26131b5044c2f7661d03bda216f6a8bc88e79dd7a05c53d4b11ce7b
SHA512

dd3763d42956ae4e4cdcf44f33fd849a8b552eff677cc55d299db403b7b4c47e4f347662fd551c5eb465cc726d29ccf97d896be7b9c0a31ce99d8ce7a399ccbe
SSDEEP

49152:+B/WNlgDzPdPfR5bMasvDLwOzda+WA94Sw7jm4m:lr2zPhZvsvXwq+0w7xm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

conhost.exe

pid process

1964 conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3889e19fd1adcb8cbe1a130da861d9f0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3889e19fd1adcb8cbe1a130da861d9f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3889e19fd1adcb8cbe1a130da861d9f0.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	conhost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

conhost.exe

pid	process
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe
1964	conhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3889e19fd1adcb8cbe1a130da861d9f0.execmd.exe

description	pid	process	target process
PID 3336 wrote to memory of 4048	3336	3889e19fd1adcb8cbe1a130da861d9f0.exe	cmd.exe
PID 3336 wrote to memory of 4048	3336	3889e19fd1adcb8cbe1a130da861d9f0.exe	cmd.exe
PID 3336 wrote to memory of 4048	3336	3889e19fd1adcb8cbe1a130da861d9f0.exe	cmd.exe
PID 4048 wrote to memory of 1964	4048	cmd.exe	conhost.exe
PID 4048 wrote to memory of 1964	4048	cmd.exe	conhost.exe
PID 4048 wrote to memory of 1964	4048	cmd.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\3889e19fd1adcb8cbe1a130da861d9f0.exe
"C:\Users\Admin\AppData\Local\Temp\3889e19fd1adcb8cbe1a130da861d9f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /d /c bxpqbet.bat 32511383
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\conhost.exe
conhost.exe lprpjaghgx.dat 32511383
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bxpqbet.bat

Filesize
110B

MD5
c235cd89516b680851c4575863763c1d

SHA1
bdccf586e9a8eebeaad55ee261e90aabe7bb4398

SHA256
b796586fa7ea9bfd372b00241f717f5a712352b9f2bd92cf98aeef83a22b7b03

SHA512
487342273d71e8f46c9166496f076cf0066e18955124b5628fac1a10e8e4705f5e84282b4a14c6224e0b39325e359e5060127a8c0ee4daee7b6a81a4da46818a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\conhost.exe

Filesize
5.2MB

MD5
11f0b4e17e686cdc46f85a6becede4a8

SHA1
2826f7ac33b43439ecddd08ad541a7f54a9eb7c0

SHA256
6a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c

SHA512
11a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\conhost.exe

Filesize
5.2MB

MD5
11f0b4e17e686cdc46f85a6becede4a8

SHA1
2826f7ac33b43439ecddd08ad541a7f54a9eb7c0

SHA256
6a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c

SHA512
11a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\epbxkgou.dat

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\epbxkgou.dat.1

Filesize
2B

MD5
873e009ecf0ccec19b3570baf5e70305

SHA1
d68e129e2ac27d06de80d1b16c1c4c4f589523f1

SHA256
ccc8d02c8169fdaeaaa52f9c74dfa3e1238ac5d0e89bc35223d423517f8e2b2d

SHA512
4e483d49046751b02d209650cd1d82df15a3a99a41036c60fb4a1318df61fb7b51236442e5ad1e3116249737721e9aa6717becba1b2ef1ddc4fece5fca756f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\epbxkgou.dat.2

Filesize
5.2MB

MD5
c1b908120dc2103e5344f7330af045bb

SHA1
1c448c68381befdbb4b508ffff7386a633688b0e

SHA256
f63cfd403de2662658a0287922f869829c6f4f3619f054326c081cf68fc973fe

SHA512
d90a17fe671dc68523f6dcfbe688a0b7bba58c0f35ab0e47b08bc11375e35c8bd0e371b9027dbe134059b9a3035a8c0464912d57d8ab1c77afc1649ded9f7a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lprpjaghgx.dat

Filesize
364KB

MD5
02bea6f81fed98b5e4c86cd48f079efe

SHA1
77061a6da594b99e2f77684e633fb8957f55d95d

SHA256
25eacf1cc1d653e1e8e00e2a43c48e40936c4e7bce83a8dbaf2cefe3fca6eacd

SHA512
2b96fa7cbb97e0cfb8ca669dc80f58fca4053b05c3bb147c0c2ccd1f4335d2311d06595c1e8aaa014a69576d662ad9f0cf14ff96b2316daa749e431c278e8482

Download Submit
memory/1964-137-0x0000000000000000-mapping.dmp

Download
memory/4048-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads