f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b

General

Target

f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe
Size

546KB
MD5

2896fa64fb2ad8f45a27a40b0be41462
SHA1

0918f5af9c99aa6cf83d3961900fa7933aeabed3
SHA256

f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b
SHA512

cb2c8b433331ecd209ba03a0c7d216b2a172b6a73d19cf533718a1b0a6b08f26f284e94c562b6157c64ded74c4de76f46bb814869f6e18fca899baa102782f65
SSDEEP

12288:mHXt2ePglfKwx4EMvz9HqGwS5VMo6rffwe1rZ2:AXt2QXmS3uffn1Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1216	4.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1252-54-0x0000000001000000-0x000000000110A000-memory.dmp	vmprotect
behavioral1/memory/1252-56-0x0000000001000000-0x000000000110A000-memory.dmp	vmprotect
behavioral1/memory/1252-57-0x0000000001000000-0x000000000110A000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

pid	Process
1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe
1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe
1216	4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28
PID 1252 wrote to memory of 1216	1252	f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe	28

C:\Users\Admin\AppData\Local\Temp\f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe
"C:\Users\Admin\AppData\Local\Temp\f55d6185cd5a57c01417886d0eceab86c471556c20daa8a4d16bc3e8fc46378b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
498KB

MD5
0e2fa3bd0ac3355b357a88aeb59d422a

SHA1
719e44ebb767ca6fad517aaba8e789ab84a697e9

SHA256
67f1fc4baf7df31fb76a62920d328dd0e838da0508ba00fd72a8b752fc1618ea

SHA512
eabc6280879241e7f5ae94da6015805bae3f68dfdbb76d15a344ac485e6d9018f4044a0ecbb1d528c1676418fad4f691d0c947ebb91da1c0c772449e3adda95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
498KB

MD5
0e2fa3bd0ac3355b357a88aeb59d422a

SHA1
719e44ebb767ca6fad517aaba8e789ab84a697e9

SHA256
67f1fc4baf7df31fb76a62920d328dd0e838da0508ba00fd72a8b752fc1618ea

SHA512
eabc6280879241e7f5ae94da6015805bae3f68dfdbb76d15a344ac485e6d9018f4044a0ecbb1d528c1676418fad4f691d0c947ebb91da1c0c772449e3adda95b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
498KB

MD5
0e2fa3bd0ac3355b357a88aeb59d422a

SHA1
719e44ebb767ca6fad517aaba8e789ab84a697e9

SHA256
67f1fc4baf7df31fb76a62920d328dd0e838da0508ba00fd72a8b752fc1618ea

SHA512
eabc6280879241e7f5ae94da6015805bae3f68dfdbb76d15a344ac485e6d9018f4044a0ecbb1d528c1676418fad4f691d0c947ebb91da1c0c772449e3adda95b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
498KB

MD5
0e2fa3bd0ac3355b357a88aeb59d422a

SHA1
719e44ebb767ca6fad517aaba8e789ab84a697e9

SHA256
67f1fc4baf7df31fb76a62920d328dd0e838da0508ba00fd72a8b752fc1618ea

SHA512
eabc6280879241e7f5ae94da6015805bae3f68dfdbb76d15a344ac485e6d9018f4044a0ecbb1d528c1676418fad4f691d0c947ebb91da1c0c772449e3adda95b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
498KB

MD5
0e2fa3bd0ac3355b357a88aeb59d422a

SHA1
719e44ebb767ca6fad517aaba8e789ab84a697e9

SHA256
67f1fc4baf7df31fb76a62920d328dd0e838da0508ba00fd72a8b752fc1618ea

SHA512
eabc6280879241e7f5ae94da6015805bae3f68dfdbb76d15a344ac485e6d9018f4044a0ecbb1d528c1676418fad4f691d0c947ebb91da1c0c772449e3adda95b

Download Submit
memory/1216-66-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1216-67-0x0000000000A40000-0x0000000000B39000-memory.dmp

Filesize
996KB

Download
memory/1216-69-0x0000000000A40000-0x0000000000B39000-memory.dmp

Filesize
996KB

Download
memory/1252-54-0x0000000001000000-0x000000000110A000-memory.dmp

Filesize
1.0MB

Download
memory/1252-57-0x0000000001000000-0x000000000110A000-memory.dmp

Filesize
1.0MB

Download
memory/1252-56-0x0000000001000000-0x000000000110A000-memory.dmp

Filesize
1.0MB

Download
memory/1252-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1252-65-0x00000000008F0000-0x00000000009E9000-memory.dmp

Filesize
996KB

Download
memory/1252-68-0x0000000000170000-0x000000000027A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing