7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b

General

Target

7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe
Size

2.8MB
MD5

e7aa116cd5e4659d3c20410e2358ad15
SHA1

20236b92654ee6210550953e67d65ae2760a3a3f
SHA256

7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b
SHA512

8ab1adfbe98e81eec68d548d519789c1545ea34e72eb22169ddf7467f54586a22ead9ed19bf4e04875d5355c66ecc8d2594767605d9ef20f5f172868fd0f8205
SSDEEP

49152:hNuL2MbupkadC+Xm0qfv2zxGp/aeYXfkHKci1hOO7YaALAz4qacCH:02MbVatXmcS/XYXAK11sOKAz4Z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Server1.exeSECURI~1.EXESECURI~1.tmp

pid process

4400 Server1.exe
1680 SECURI~1.EXE
4620 SECURI~1.tmp

pid	process
4400	Server1.exe
1680	SECURI~1.EXE
4620	SECURI~1.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dw20.exe

description	pid	process
Token: SeRestorePrivilege	5112	dw20.exe
Token: SeBackupPrivilege	5112	dw20.exe
Token: SeBackupPrivilege	5112	dw20.exe
Token: SeBackupPrivilege	5112	dw20.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exeServer1.exeSECURI~1.EXE

description	pid	process	target process
PID 4444 wrote to memory of 4400	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	Server1.exe
PID 4444 wrote to memory of 4400	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	Server1.exe
PID 4444 wrote to memory of 4400	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	Server1.exe
PID 4400 wrote to memory of 5112	4400	Server1.exe	dw20.exe
PID 4400 wrote to memory of 5112	4400	Server1.exe	dw20.exe
PID 4400 wrote to memory of 5112	4400	Server1.exe	dw20.exe
PID 4444 wrote to memory of 1680	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	SECURI~1.EXE
PID 4444 wrote to memory of 1680	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	SECURI~1.EXE
PID 4444 wrote to memory of 1680	4444	7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe	SECURI~1.EXE
PID 1680 wrote to memory of 4620	1680	SECURI~1.EXE	SECURI~1.tmp
PID 1680 wrote to memory of 4620	1680	SECURI~1.EXE	SECURI~1.tmp
PID 1680 wrote to memory of 4620	1680	SECURI~1.EXE	SECURI~1.tmp

C:\Users\Admin\AppData\Local\Temp\7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe
"C:\Users\Admin\AppData\Local\Temp\7739807e862854d6124a59580aec7c81374fecd866333b66d5e893084d6cdb3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server1.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 840
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SECURI~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SECURI~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\is-CSHS6.tmp\SECURI~1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CSHS6.tmp\SECURI~1.tmp" /SL5="$5002E,2459599,54272,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SECURI~1.EXE"
3⤵
- Executes dropped EXE
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SECURI~1.EXE

Filesize
2.6MB

MD5
a1cafa9d4449940bf8728dad275d7cc5

SHA1
06e1e4684c34ccdffd176ab92db884a113a94a39

SHA256
02006d58fe618e3c54175a4347511d737d762872c3d6a1c538396128939092e4

SHA512
cc89250543491f2bda2e0832fd759c5285ab937509159410d4b9d8ce28022fb120975be80310cb0813df0be61f20d88e16e4f21777e0ba53cf5477ddcfad9667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SECURI~1.EXE

Filesize
2.6MB

MD5
a1cafa9d4449940bf8728dad275d7cc5

SHA1
06e1e4684c34ccdffd176ab92db884a113a94a39

SHA256
02006d58fe618e3c54175a4347511d737d762872c3d6a1c538396128939092e4

SHA512
cc89250543491f2bda2e0832fd759c5285ab937509159410d4b9d8ce28022fb120975be80310cb0813df0be61f20d88e16e4f21777e0ba53cf5477ddcfad9667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server1.exe

Filesize
120KB

MD5
16afe1553f88b84f67d1fff0890a7b69

SHA1
09c6f2628f0944b45a501c8a466c889f7122075d

SHA256
8a707937eb1fc6342f70cea85b5e4572efa2f945c898dfc2bc80a85442824dd9

SHA512
cead80448475f8cfdcc3587cbed109ee4d06caafec80a5d9e5cf7da1c2dd003b9aa8a0a1fbfa3a291b00c0a8e1341fbb4e663f245aa03dee4cf94802d2a31e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server1.exe

Filesize
120KB

MD5
16afe1553f88b84f67d1fff0890a7b69

SHA1
09c6f2628f0944b45a501c8a466c889f7122075d

SHA256
8a707937eb1fc6342f70cea85b5e4572efa2f945c898dfc2bc80a85442824dd9

SHA512
cead80448475f8cfdcc3587cbed109ee4d06caafec80a5d9e5cf7da1c2dd003b9aa8a0a1fbfa3a291b00c0a8e1341fbb4e663f245aa03dee4cf94802d2a31e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CSHS6.tmp\SECURI~1.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CSHS6.tmp\SECURI~1.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
memory/1680-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-138-0x0000000000000000-mapping.dmp

Download
memory/1680-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1680-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4400-137-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4400-132-0x0000000000000000-mapping.dmp

Download
memory/4400-135-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4620-143-0x0000000000000000-mapping.dmp

Download
memory/5112-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads