93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca

General

Target

93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
Size

323KB
MD5

19499ac4d794cb72a1c486a55b1cb4c0
SHA1

4c346c854fff4a264783799b006ba679b4387392
SHA256

93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca
SHA512

124c1b45c63e8ac4f5348196177ac4de23532ae4273d4b4c8ac3dd4938d325ae33ef0b76edd58ad04538287fd68bebc1fb6db712d8fe380da59c359b8a7322e5
SSDEEP

6144:7jbeiookOUv272gddDFtbiSzCd/j0lUshzmANiefgXulWs7J3Dj7:7uO7YLgdd3mSzMwldzTMWg+osFzP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4548	1p.exe
4640	sdafsdaf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sdafsdaf.exe	1p.exe
File opened for modification	C:\Windows\sdafsdaf.exe	1p.exe
File created	C:\Windows\UNINSTAL.BAT	1p.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	4548	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	1p.exe
Token: SeDebugPrivilege	4640	sdafsdaf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4640	sdafsdaf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4548	732	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	81
PID 732 wrote to memory of 4548	732	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	81
PID 732 wrote to memory of 4548	732	93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe	81
PID 4640 wrote to memory of 560	4640	sdafsdaf.exe	84
PID 4640 wrote to memory of 560	4640	sdafsdaf.exe	84
PID 4548 wrote to memory of 5112	4548	1p.exe	90
PID 4548 wrote to memory of 5112	4548	1p.exe	90
PID 4548 wrote to memory of 5112	4548	1p.exe	90

C:\Users\Admin\AppData\Local\Temp\93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe
"C:\Users\Admin\AppData\Local\Temp\93cb27262f6355138e78f66fc71f2d4ace1fcc30edfd434a24a12d60fbf77aca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 780
    3⤵
    - Program crash
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\UNINSTAL.BAT
    3⤵
    PID:5112

C:\Windows\sdafsdaf.exe
C:\Windows\sdafsdaf.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4548 -ip 4548
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Windows\UNINSTAL.BAT

Filesize
148B

MD5
cbc7e0a466123ad50190173e715d1e75

SHA1
e2b8743d9d0acfefa51fce8fd15a493b2e57d055

SHA256
fce3474fadb682847ab6f74f7825886cfedf4a9c8ef7480d8ec0d833f290d8fd

SHA512
5e4fdfa3f4e1a0f2ef918d10aedb838539ace8ab3dc964f5bf149f360a557cd5b92bb82b4035af4b7440bf2f4b75fb0bd1591bae868f739358e2fbb47124d52a

Download Submit
C:\Windows\sdafsdaf.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
C:\Windows\sdafsdaf.exe

Filesize
268KB

MD5
43939e9252d1c398c3143bd69de234b1

SHA1
521d3b36f7b8f92ad9afe4bd8754937f351829c5

SHA256
9bd1a9850dcf4a2bd6edbef73116f81353d60c4be7779117c13a2469615d3d04

SHA512
d6de8b9c2d0837359ce09ab4e0b0a96c81ff4a80733282b05ce211d7a6ebebe31bde57986cc81012a8abd60f4620a50a92d49725431c914cafa20dfa42a42b2c

Download Submit
memory/4548-135-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4640-137-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4640-139-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing