93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca

General

Target

93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
Size

323KB
MD5

19499ac4d794cb72a1c486a55b1cb4c0
SHA1

4c346c854fff4a264783799b006ba679b4387392
SHA256

93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca
SHA512

124c1b45c63e8ac4f5348196177ac4de23532ae4273d4b4c8ac3dd4938d325ae33ef0b76edd58ad04538287fd68bebc1fb6db712d8fe380da59c359b8a7322e5
SSDEEP

6144:7jbeiookOUv272gddDFtbiSzCd/j0lUshzmANiefgXulWs7J3Dj7:7uO7YLgdd3mSzMwldzTMWg+osFzP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1276	1p.exe
1156	sdafsdaf.exe

Loads dropped DLL 3 IoCs

pid	Process
1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
1276	1p.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sdafsdaf.exe	1p.exe
File created	C:\Windows\UNINSTAL.BAT	1p.exe
File created	C:\Windows\sdafsdaf.exe	1p.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	1p.exe
Token: SeDebugPrivilege	1156	sdafsdaf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1156	sdafsdaf.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1448 wrote to memory of 1276	1448	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	27
PID 1156 wrote to memory of 1188	1156	sdafsdaf.exe	29
PID 1156 wrote to memory of 1188	1156	sdafsdaf.exe	29
PID 1156 wrote to memory of 1188	1156	sdafsdaf.exe	29
PID 1156 wrote to memory of 1188	1156	sdafsdaf.exe	29
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30
PID 1276 wrote to memory of 324	1276	1p.exe	30

C:\Users\Admin\AppData\Local\Temp\93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
"C:\Users\Admin\AppData\Local\Temp\93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\UNINSTAL.BAT
    3⤵
    PID:324

C:\Windows\sdafsdaf.exe
C:\Windows\sdafsdaf.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
148B

MD5
cbc7e0a466123ad50190173e715d1e75

SHA1
e2b8743d9d0acfefa51fce8fd15a493b2e57d055

SHA256
fce3474fadb682847ab6f74f7825886cfedf4a9c8ef7480d8ec0d833f290d8fd

SHA512
5e4fdfa3f4e1a0f2ef918d10aedb838539ace8ab3dc964f5bf149f360a557cd5b92bb82b4035af4b7440bf2f4b75fb0bd1591bae868f739358e2fbb47124d52a

Download Submit
C:\Windows\sdafsdaf.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Windows\sdafsdaf.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
memory/1156-71-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1156-72-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1276-64-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1448-63-0x0000000000C90000-0x0000000000D96000-memory.dmp

Filesize
1.0MB

Download
memory/1448-62-0x0000000000C90000-0x0000000000D96000-memory.dmp

Filesize
1.0MB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing