b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd

General

Target

b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe
Size

108KB
MD5

8b6b05e9ffa0060f21d448e4fa720c01
SHA1

5fcd40630c5237b08f88cdc00e4cb73cfe3e92b1
SHA256

b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd
SHA512

de88313db926044d5444c7331e38b719370af79332ba95e65cfc3b9a108cee01be19ed763b7f512b406a326e1a232c02a37f285b76d2d57d87a83b12f98b4088
SSDEEP

3072:PGu9BlfzWIbXWm+w0J+5ib43nbo+T3RSKiu7D7Ed:P/0uoz43bo0wMq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1440	server.exe
1464	server.exe

Loads dropped DLL 5 IoCs

pid	Process
2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe
2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe
1440	server.exe
1440	server.exe
1464	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 1464	1440	server.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1464	server.exe
1464	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1440	server.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 2016 wrote to memory of 1440	2016	b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe	28
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1440 wrote to memory of 1464	1440	server.exe	29
PID 1464 wrote to memory of 1208	1464	server.exe	15
PID 1464 wrote to memory of 1208	1464	server.exe	15
PID 1464 wrote to memory of 1208	1464	server.exe	15
PID 1464 wrote to memory of 1208	1464	server.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe
  "C:\Users\Admin\AppData\Local\Temp\b32ad9f3a3abed43a840eac4b8ffd22d0ec7f132950791c764e09ba61f546afd.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe

Filesize
47KB

MD5
2f277bd7e0c3095b4dc3c060a55ceada

SHA1
0fa83c0e376bd67ba566d30844041b2854faaf78

SHA256
a5caea562fa0cba5527c0ee24a3d30276a9be2b3350d5bda6a1db2f6099da67c

SHA512
8f41839dbd8b7b522754e0e17d661c5679f3105322b45c487f38936422f414c1aac74c9d3b3d5c3808fdfcc48ea86398918b9e3451a38e1043b79d4efc937593

Download Submit
memory/1208-77-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1440-65-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1440-74-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1464-75-0x0000000000400000-0x00000000004083A0-memory.dmp

Filesize
32KB

Download
memory/1464-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1464-76-0x00000000008C0000-0x0000000000905000-memory.dmp

Filesize
276KB

Download
memory/1464-80-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2016-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2016-63-0x0000000000380000-0x00000000003C5000-memory.dmp

Filesize
276KB

Download
memory/2016-64-0x0000000000380000-0x00000000003C5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing