e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed

General

Target

e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
Size

804KB
MD5

3421a71784bf67bf04e837dc48ec35cb
SHA1

dd713e69db1bcf63990a5f6be48b5ced2f9fbc94
SHA256

e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed
SHA512

0e9788db9784520536d3b6ddc9f3876acb7bb1a2b8f8852fe22e0f55f8f027bf04cd349f8941a31d3cb434f7c2050f5fd27d87e71fa64b1cb2fc4ebb26a606c7
SSDEEP

12288:9ODS6yD62Yuoj+WcWYTzlFbo8GYUW/Cvx/9gs/p3bC2kibkDciyUA:9wS6M65uZPDc9WKVXW2JF5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1384	migamix2.exe
332	migamix2.exe

Loads dropped DLL 4 IoCs

pid	Process
1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
1384	migamix2.exe
1384	migamix2.exe
332	migamix2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\VERSION.dll	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
File opened for modification	C:\Windows\SysWOW64\ADVAPI32.dll	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
File opened for modification	C:\Windows\SysWOW64\COMCTL32.dll	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 332	1384	migamix2.exe	29

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1076 wrote to memory of 1384	1076	e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe	28
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29
PID 1384 wrote to memory of 332	1384	migamix2.exe	29

C:\Users\Admin\AppData\Local\Temp\e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe
"C:\Users\Admin\AppData\Local\Temp\e940e6998f0991b5f74b8845945e290c502360f1c94a053ea0cea75da4bd62ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\migamix2.exe

Filesize
70KB

MD5
6d51c2fb222c955c3a97c83690ff7069

SHA1
fc536f551c05d586b4b46c91b2a72b636583b87c

SHA256
32df40d7df3f38be14f89ba9a23cf424a71b1ca5841f790eda326d1031ae87ff

SHA512
d415f72d9c87310b3936a89f1beee08b7e662bc1e8f5fdf8a2bf381fef6f6f2b2d5a5a88bd9644d1b6763b7e55f0ced76ffea4e04f69c75a5e39835f2b786f42

Download Submit
memory/332-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/332-80-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/332-79-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/332-76-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1076-69-0x0000000001000000-0x00000000010D5000-memory.dmp

Filesize
852KB

Download
memory/1076-73-0x0000000000270000-0x0000000000285000-memory.dmp

Filesize
84KB

Download
memory/1076-78-0x0000000001000000-0x00000000010D5000-memory.dmp

Filesize
852KB

Download
memory/1076-71-0x0000000000810000-0x00000000008E5000-memory.dmp

Filesize
852KB

Download
memory/1076-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1384-74-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1384-75-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing