971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8

General

Target

971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe
Size

443KB
MD5

5039cf419280a20f79f7c2fd4ce0136e
SHA1

e0fed6671e01275cdf7d2546869d728bf07fbd9c
SHA256

971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8
SHA512

7aed63b03e12daf04835ec810825a02c9f17c9c174257877feadb978f25c2d07288b34ecf6a0e9daed9ce7ce780f77c64b329063dd82ce68e53a733b987d273f
SSDEEP

12288:DgDI/KveiSNoP7sfoEYiYK+peW1dzD5JCz9://CZ9QwEFx+EW1dzDT0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
888	SHOCKW~1.EXE
568	SHOCKW~1.EXE

Loads dropped DLL 5 IoCs

pid	Process
944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe
944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe
888	SHOCKW~1.EXE
888	SHOCKW~1.EXE
568	SHOCKW~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win.com	SHOCKW~1.EXE
File opened for modification	C:\Windows\SysWOW64\win.com	SHOCKW~1.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 568	888	SHOCKW~1.EXE	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
568	SHOCKW~1.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	SHOCKW~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
888	SHOCKW~1.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 944 wrote to memory of 888	944	971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe	28
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 888 wrote to memory of 568	888	SHOCKW~1.EXE	29
PID 568 wrote to memory of 1268	568	SHOCKW~1.EXE	17
PID 568 wrote to memory of 1268	568	SHOCKW~1.EXE	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe
  "C:\Users\Admin\AppData\Local\Temp\971c66eb14733d2315257e68accc2888de6441c34e05fb12f3fe81cc49f8c0d8.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
600KB

MD5
3cd2cd95a5fe6f348acfa52855d123f8

SHA1
56cbe9134ab621550ee715730c159c8d8f2a5931

SHA256
cc207bbe98d6ba3cf72e0c81dde5fab4a926b616e7d447de90921b768e100bb4

SHA512
aa1826805ea80cc1acecdec38782fc7f0e0ee036437a2b27078acd0fddd61e1601cddc514ac1b6c71090e4957e0119942149c40ae00af18d424935979b53d483

Download Submit
memory/568-70-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-84-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-86-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-69-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-85-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/568-72-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-73-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-75-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-83-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/568-79-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/944-55-0x0000000001000000-0x00000000010EBEB8-memory.dmp

Filesize
943KB

Download
memory/944-57-0x0000000001000000-0x00000000010EBEB8-memory.dmp

Filesize
943KB

Download
memory/944-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/944-58-0x00000000003D0000-0x00000000004BC000-memory.dmp

Filesize
944KB

Download
memory/944-87-0x0000000001000000-0x00000000010EBEB8-memory.dmp

Filesize
943KB

Download

Analysis

Sharing