e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e

General

Target

e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
Size

431KB
MD5

d0555892523bc2949373e803ed1f1703
SHA1

e1e5d5e0440359315dc9e69ee3e3df2dde6af30f
SHA256

e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e
SHA512

ec071314b4a902fd31060d19d010d19f7f0099788988e069230f758f55d8ccc7c55aca819492d7504c7a12adafe697d25170e16a27c3a96360dc8bf9d5c8568a
SSDEEP

12288:xCDebz10dvYQZ45LhjSJhEyOo1hUF3V8C+guFythEeZArV:9W/m5LQJIo4rgguq7qrV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1984	SHOCKW~1.EXE
320	SHOCKW~1.EXE

Loads dropped DLL 5 IoCs

pid	Process
2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
1984	SHOCKW~1.EXE
1984	SHOCKW~1.EXE
320	SHOCKW~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\win.com	SHOCKW~1.EXE
File opened for modification	C:\Windows\SysWOW64\win.com	SHOCKW~1.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 320	1984	SHOCKW~1.EXE	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	SHOCKW~1.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	SHOCKW~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	SHOCKW~1.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 2040 wrote to memory of 1984	2040	e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe	28
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 1984 wrote to memory of 320	1984	SHOCKW~1.EXE	29
PID 320 wrote to memory of 1284	320	SHOCKW~1.EXE	16
PID 320 wrote to memory of 1284	320	SHOCKW~1.EXE	16

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe
  "C:\Users\Admin\AppData\Local\Temp\e080049a04127c2a5d21343098bbbaed79be0d255bd1862d311bdbc9e137661e.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SHOCKW~1.EXE

Filesize
588KB

MD5
93f0b71bd3f91b0aaa25d9ce79788470

SHA1
72612fb6047ee5fc250dd530d8ce8a76a1e690ec

SHA256
39915da99366fa52659211a8e793486859e034763a6ac7c48936d1c1c6da8aeb

SHA512
d0015ef597fc669a1855d14ee4d592b24bf7538d98efc2c18cb418bc3c7e8543edee4d5b8f1b3ae115a7bc2497f1fd32e48858958214e62513d4e7cbceb9d2cd

Download Submit
memory/320-80-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-89-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-88-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/320-70-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-71-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-74-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-73-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-76-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-87-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-86-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/320-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2040-54-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/2040-85-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/2040-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2040-67-0x00000000003B0000-0x0000000000496000-memory.dmp

Filesize
920KB

Download
memory/2040-56-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download
memory/2040-68-0x0000000001000000-0x00000000010E5F87-memory.dmp

Filesize
919KB

Download

Analysis

Sharing