b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449

General

Target

b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe
Size

192KB
MD5

4c3ba5d81401600cfc2382681fee9f76
SHA1

a54bd8f45aa5cc2ca38da8510e98bfcbd5ab9c4a
SHA256

b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449
SHA512

361b1cc2dfeb075fef2f7480791737028489d07659cd80c32fb61079e9de3c9bc1f18d28ed90fe37e20626564eca7fa21a7f4be4717f253dc6cd29182c3f9b7a
SSDEEP

3072:pzWrHZJyJekaWxGu8ymle/G9i0Mk5kvllxhC73TsuZfU:6HviL/OAk+llx8LwuZM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	xecxuw.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\vxecx\\command	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\vxecx	xecxuw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\vxecx	xecxuw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
728	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2040	1736	b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe	28
PID 1736 wrote to memory of 2040	1736	b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe	28
PID 1736 wrote to memory of 2040	1736	b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe	28
PID 1736 wrote to memory of 2040	1736	b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe	28
PID 2040 wrote to memory of 2016	2040	cmd.exe	30
PID 2040 wrote to memory of 2016	2040	cmd.exe	30
PID 2040 wrote to memory of 2016	2040	cmd.exe	30
PID 2040 wrote to memory of 2016	2040	cmd.exe	30
PID 2040 wrote to memory of 728	2040	cmd.exe	31
PID 2040 wrote to memory of 728	2040	cmd.exe	31
PID 2040 wrote to memory of 728	2040	cmd.exe	31
PID 2040 wrote to memory of 728	2040	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe
"C:\Users\Admin\AppData\Local\Temp\b0685688e517286165cc773a2bc88e337b4d7df5279c8ed8aa549d1baaf88449.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ltgxhzt.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\xecxuw.exe
    "C:\Users\Admin\AppData\Local\Temp\xecxuw.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2016
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ltgxhzt.bat

Filesize
124B

MD5
75da8a1dbe76a72e8d9612833a33f671

SHA1
808623560c874db06466663fd859561c5cf6c672

SHA256
8cd8e46b5eb2f28f0a5157688b084bd26844e0e3479f8f3194ed5711c6175bed

SHA512
a5e79d0dce2286921a8a5858b9ad0a8bcbb987d6f940823a38d301b1bee59275e6f67bfdecf617160d6d89e2da8463f20f1192eddd87c3d69980b65517a07f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpcbgn.bat

Filesize
188B

MD5
22ab0a1097c92286077d22e0a0d6d9df

SHA1
cc76b9d3e27b2a48292643a7681716c8b9f803c2

SHA256
dc021ec350b851c4d86fc76896a42d1ad4fc7b5bcd3d0a828e40945852d259d2

SHA512
51e01efa6725b813535ef75f25262e00b4a4a1f8b92709ef35bfe284c97c4d7d544d730268614e61f8434bff296860cbf6645cc4b95071fc9168a206fade9116

Download Submit
C:\Users\Admin\AppData\Local\Temp\xecxuw.exe

Filesize
144KB

MD5
3297ca9bbd5da932f34a083d3cd5bcc0

SHA1
2ca3e9404eeca79e698aa18b220be5516c4ef508

SHA256
24ae390dbee96696b751605f520da3b089076cc31c25db9bc54586b06f6fb9c0

SHA512
7f6cccea99921b4586783ee64733d16f88b51ae34afdb4f999c0e9f7dbbd358763a3930e076513a312aec16534f40e58ffc0f9e866aedde4760c96ef01c4a4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xecxuw.exe

Filesize
144KB

MD5
3297ca9bbd5da932f34a083d3cd5bcc0

SHA1
2ca3e9404eeca79e698aa18b220be5516c4ef508

SHA256
24ae390dbee96696b751605f520da3b089076cc31c25db9bc54586b06f6fb9c0

SHA512
7f6cccea99921b4586783ee64733d16f88b51ae34afdb4f999c0e9f7dbbd358763a3930e076513a312aec16534f40e58ffc0f9e866aedde4760c96ef01c4a4e4

Download Submit
\Users\Admin\AppData\Local\Temp\xecxuw.exe

Filesize
144KB

MD5
3297ca9bbd5da932f34a083d3cd5bcc0

SHA1
2ca3e9404eeca79e698aa18b220be5516c4ef508

SHA256
24ae390dbee96696b751605f520da3b089076cc31c25db9bc54586b06f6fb9c0

SHA512
7f6cccea99921b4586783ee64733d16f88b51ae34afdb4f999c0e9f7dbbd358763a3930e076513a312aec16534f40e58ffc0f9e866aedde4760c96ef01c4a4e4

Download Submit
\Users\Admin\AppData\Local\Temp\xecxuw.exe

Filesize
144KB

MD5
3297ca9bbd5da932f34a083d3cd5bcc0

SHA1
2ca3e9404eeca79e698aa18b220be5516c4ef508

SHA256
24ae390dbee96696b751605f520da3b089076cc31c25db9bc54586b06f6fb9c0

SHA512
7f6cccea99921b4586783ee64733d16f88b51ae34afdb4f999c0e9f7dbbd358763a3930e076513a312aec16534f40e58ffc0f9e866aedde4760c96ef01c4a4e4

Download Submit
memory/1736-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing