a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82

General

Target

a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe
Size

1.1MB
MD5

714fec58517cf8ec758106f9e92cb4cd
SHA1

b1b03ba2dd2f94ce07b055854687fe5853324309
SHA256

a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82
SHA512

7eba6963e166e92992208587e11f20992f6166101708dee47282e405a393002266e098f6e7d2aade9c5edd6887c8192bf4eac3f5f797134beef334c81f459c3a
SSDEEP

24576:2mQcUXo8ZwC+trY/dESAMtsYW3z6Hgc5OD+3zF3yiRFUh93AFI/eKwUoWHw:xw7vQrYVftPDOD8zg8Fw3iI/eRWQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	Install.exe

Loads dropped DLL 4 IoCs

pid	Process
1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe
1732	Install.exe
1732	Install.exe
1732	Install.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28
PID 1080 wrote to memory of 1732	1080	a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe	28

C:\Users\Admin\AppData\Local\Temp\a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe
"C:\Users\Admin\AppData\Local\Temp\a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing