91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62

General

Target

91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe
Size

248KB
MD5

c2cfedb51cdb805c600985af29e13918
SHA1

89f4eadb77ece4b1da90faa12da466af1e5f3276
SHA256

91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62
SHA512

31df38fe3323fcb526a851c945c31a56fba54aff2b74581c713007185114078f6324f7eb011e5a8c59ffd052cbaf94b4dec0a1752aaabb26a34dddfe1b01c4fe
SSDEEP

6144:wv8OCXmikdlT6vg1ozZhd08bLjHWkg64Htf7YRU0OwFf3Uot5:CmXSdlGqozZkmHWkgDsFOwRH5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	1.exe

Loads dropped DLL 3 IoCs

pid	Process
1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe
1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe
2008	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	1.exe
2008	1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 1672 wrote to memory of 2008	1672	91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe	28
PID 2008 wrote to memory of 1224	2008	1.exe	5
PID 2008 wrote to memory of 1224	2008	1.exe	5
PID 2008 wrote to memory of 1224	2008	1.exe	5
PID 2008 wrote to memory of 1224	2008	1.exe	5

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe
  "C:\Users\Admin\AppData\Local\Temp\91609cc26eb99f12c511a60144456c148cf2e5219882c36dcf403ec9cfa23d62.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
31KB

MD5
ecd3f3b4e259d27b7161ac1c38fd592d

SHA1
b10155fcf11ec48717ef3ed94d66e77efe418b37

SHA256
44f39488ed0fdf8e6b5747a471bea6716045adfea2bb327af8d8bbd55d8c8319

SHA512
4c4c743d5eb5c80af895f150a696ee7840380bacf52c28545b4196608b2b0d6b6828fbba3e0fa1b163caf4bb1c0eecc645545cf90891401f952929ca569ded08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
31KB

MD5
ecd3f3b4e259d27b7161ac1c38fd592d

SHA1
b10155fcf11ec48717ef3ed94d66e77efe418b37

SHA256
44f39488ed0fdf8e6b5747a471bea6716045adfea2bb327af8d8bbd55d8c8319

SHA512
4c4c743d5eb5c80af895f150a696ee7840380bacf52c28545b4196608b2b0d6b6828fbba3e0fa1b163caf4bb1c0eecc645545cf90891401f952929ca569ded08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
31KB

MD5
ecd3f3b4e259d27b7161ac1c38fd592d

SHA1
b10155fcf11ec48717ef3ed94d66e77efe418b37

SHA256
44f39488ed0fdf8e6b5747a471bea6716045adfea2bb327af8d8bbd55d8c8319

SHA512
4c4c743d5eb5c80af895f150a696ee7840380bacf52c28545b4196608b2b0d6b6828fbba3e0fa1b163caf4bb1c0eecc645545cf90891401f952929ca569ded08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
31KB

MD5
ecd3f3b4e259d27b7161ac1c38fd592d

SHA1
b10155fcf11ec48717ef3ed94d66e77efe418b37

SHA256
44f39488ed0fdf8e6b5747a471bea6716045adfea2bb327af8d8bbd55d8c8319

SHA512
4c4c743d5eb5c80af895f150a696ee7840380bacf52c28545b4196608b2b0d6b6828fbba3e0fa1b163caf4bb1c0eecc645545cf90891401f952929ca569ded08

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
31KB

MD5
ecd3f3b4e259d27b7161ac1c38fd592d

SHA1
b10155fcf11ec48717ef3ed94d66e77efe418b37

SHA256
44f39488ed0fdf8e6b5747a471bea6716045adfea2bb327af8d8bbd55d8c8319

SHA512
4c4c743d5eb5c80af895f150a696ee7840380bacf52c28545b4196608b2b0d6b6828fbba3e0fa1b163caf4bb1c0eecc645545cf90891401f952929ca569ded08

Download Submit
memory/1224-71-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1672-64-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/1672-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000001000000-0x000000000103E000-memory.dmp

Filesize
248KB

Download
memory/1672-63-0x0000000001000000-0x000000000103E000-memory.dmp

Filesize
248KB

Download
memory/1672-65-0x0000000000390000-0x00000000003C9000-memory.dmp

Filesize
228KB

Download
memory/1672-66-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

Filesize
1024KB

Download
memory/1672-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1672-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1672-76-0x0000000000390000-0x00000000003C9000-memory.dmp

Filesize
228KB

Download
memory/1672-75-0x0000000001000000-0x000000000103E000-memory.dmp

Filesize
248KB

Download
memory/2008-74-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2008-70-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2008-69-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download

Analysis

Sharing