f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084

General

Target

f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe
Size

1.9MB
MD5

d1fd068825c57d73bd37e6af7b5c3363
SHA1

bf7ab0542a5b7cddd94d8b5a9eb13c908c0738f0
SHA256

f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084
SHA512

03d60ebe21f02580b0a06378cd4fe9f48fbdb35ae66465209cdf735603861c3f92f95e453685f40a06b0019eeb906f67f7968e7d0bbdeb1daae1478cf5cb1de2
SSDEEP

24576:77HK5N+cLJKQmHzrV3nMk0cQUTDP4yfrF+awF9mZHMK1b8YWU/C4PYCLiObCxqjj:/SNHduBMk0aDP4yDFVKmmK1gYWOPo8EE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3016	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp
4848	inst.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LocalHost32 = "C:\\Windows\\system32\\lsasrv.exe"	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	inst.exe
File opened (read-only)	\??\W:	inst.exe
File opened (read-only)	\??\Y:	inst.exe
File opened (read-only)	\??\F:	inst.exe
File opened (read-only)	\??\J:	inst.exe
File opened (read-only)	\??\M:	inst.exe
File opened (read-only)	\??\O:	inst.exe
File opened (read-only)	\??\V:	inst.exe
File opened (read-only)	\??\X:	inst.exe
File opened (read-only)	\??\A:	inst.exe
File opened (read-only)	\??\H:	inst.exe
File opened (read-only)	\??\N:	inst.exe
File opened (read-only)	\??\Q:	inst.exe
File opened (read-only)	\??\U:	inst.exe
File opened (read-only)	\??\Z:	inst.exe
File opened (read-only)	\??\G:	inst.exe
File opened (read-only)	\??\K:	inst.exe
File opened (read-only)	\??\L:	inst.exe
File opened (read-only)	\??\R:	inst.exe
File opened (read-only)	\??\S:	inst.exe
File opened (read-only)	\??\T:	inst.exe
File opened (read-only)	\??\B:	inst.exe
File opened (read-only)	\??\E:	inst.exe
File opened (read-only)	\??\I:	inst.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lsasrv.exe	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe
File opened for modification	C:\Windows\SysWOW64\lsasrv.exe	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4848	inst.exe
Token: SeIncreaseQuotaPrivilege	4848	inst.exe
Token: SeSecurityPrivilege	4904	msiexec.exe
Token: SeCreateTokenPrivilege	4848	inst.exe
Token: SeAssignPrimaryTokenPrivilege	4848	inst.exe
Token: SeLockMemoryPrivilege	4848	inst.exe
Token: SeIncreaseQuotaPrivilege	4848	inst.exe
Token: SeMachineAccountPrivilege	4848	inst.exe
Token: SeTcbPrivilege	4848	inst.exe
Token: SeSecurityPrivilege	4848	inst.exe
Token: SeTakeOwnershipPrivilege	4848	inst.exe
Token: SeLoadDriverPrivilege	4848	inst.exe
Token: SeSystemProfilePrivilege	4848	inst.exe
Token: SeSystemtimePrivilege	4848	inst.exe
Token: SeProfSingleProcessPrivilege	4848	inst.exe
Token: SeIncBasePriorityPrivilege	4848	inst.exe
Token: SeCreatePagefilePrivilege	4848	inst.exe
Token: SeCreatePermanentPrivilege	4848	inst.exe
Token: SeBackupPrivilege	4848	inst.exe
Token: SeRestorePrivilege	4848	inst.exe
Token: SeShutdownPrivilege	4848	inst.exe
Token: SeDebugPrivilege	4848	inst.exe
Token: SeAuditPrivilege	4848	inst.exe
Token: SeSystemEnvironmentPrivilege	4848	inst.exe
Token: SeChangeNotifyPrivilege	4848	inst.exe
Token: SeRemoteShutdownPrivilege	4848	inst.exe
Token: SeUndockPrivilege	4848	inst.exe
Token: SeSyncAgentPrivilege	4848	inst.exe
Token: SeEnableDelegationPrivilege	4848	inst.exe
Token: SeManageVolumePrivilege	4848	inst.exe
Token: SeImpersonatePrivilege	4848	inst.exe
Token: SeCreateGlobalPrivilege	4848	inst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	inst.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3016	2552	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe	81
PID 2552 wrote to memory of 3016	2552	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe	81
PID 2552 wrote to memory of 3016	2552	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe	81
PID 3016 wrote to memory of 4848	3016	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp	82
PID 3016 wrote to memory of 4848	3016	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp	82
PID 3016 wrote to memory of 4848	3016	f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp	82

C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe
"C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp
  C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inst.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inst.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inst.exe

Filesize
68KB

MD5
5989381e6a211550272503627c1be3ec

SHA1
931f9b273d68cffe51090e74b0ddbf63b281ac1f

SHA256
69bdd86369f41a164279c1c0542f38573da137d1121d920081b4da1d82935d21

SHA512
c1362b899443329ce3521f10e84675c45d75583c7ccfe2f4b41baf52ebd3eb333a8566312c7d71b8aff2be38d54bd32e18fa83e59978b1ed39ccf734cc464de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\inst.exe

Filesize
68KB

MD5
5989381e6a211550272503627c1be3ec

SHA1
931f9b273d68cffe51090e74b0ddbf63b281ac1f

SHA256
69bdd86369f41a164279c1c0542f38573da137d1121d920081b4da1d82935d21

SHA512
c1362b899443329ce3521f10e84675c45d75583c7ccfe2f4b41baf52ebd3eb333a8566312c7d71b8aff2be38d54bd32e18fa83e59978b1ed39ccf734cc464de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\langpack.msi

Filesize
382KB

MD5
d287342ca2687386f742ed98340b026d

SHA1
42b49954c4d1a0e6ae940c2851a56ef52a607412

SHA256
a0d432b0ed63bd80fcc9c614db5435a961069d49e66a22e5a970905364c95d0b

SHA512
40e2413826f281f56e6c6c94543fae4cf7f1511e0eba9bbed9ff01f6f51f697da99f1e47cd2526c1427b081042d48dcab93a468d33d9f0d359900155324ed101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.ini

Filesize
141B

MD5
adfa7c0ec02f1f6bb34116b3adcbc5c1

SHA1
e2e2c02d6fe7abb2b30476cc8c6de466906c8044

SHA256
04664f1a6c63a6e558be6c6894d06a44732268739407c9b96e3f4199a50ee79a

SHA512
52a502975d049a5d81d7e412b78d995f58606c06abd51c376bcee5528b488aa26b31b545a453749e33d74ba0746973c509da9cc56b10297a7bc6039e2ead3a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp

Filesize
1.2MB

MD5
c528c5d30d4652361b45f9bb09681bf2

SHA1
b3b06154005c467220becc9675efce8fb16c2e51

SHA256
803c681f031f306fd77f2f5d001e2c854b9df12e0a63bd0637881972cecbc03d

SHA512
eb68ec1a528c3914934d3d01ea062bf1edc3b4c7edca17c93ac8e2987cff66a9cdcb4bf08a025562d363e2a60d26c9eabe3cac6e2d7b1c926a759c34b85e6f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\f86eb333a80b047631a1ad350885da0f13736d7f56b2351f419caffaf980d084.tmp

Filesize
1.2MB

MD5
c528c5d30d4652361b45f9bb09681bf2

SHA1
b3b06154005c467220becc9675efce8fb16c2e51

SHA256
803c681f031f306fd77f2f5d001e2c854b9df12e0a63bd0637881972cecbc03d

SHA512
eb68ec1a528c3914934d3d01ea062bf1edc3b4c7edca17c93ac8e2987cff66a9cdcb4bf08a025562d363e2a60d26c9eabe3cac6e2d7b1c926a759c34b85e6f40

Download Submit
memory/3016-132-0x0000000000000000-mapping.dmp

Download
memory/4848-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing