92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527

General

Target

92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe
Size

233KB
MD5

72f925cf8855699e5cd41339bde7255c
SHA1

a224d46c690c6ee88befd14e9f1f662e2f80b258
SHA256

92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527
SHA512

c6184a6f8bd204e17847a08348e419cdc388823c75c1f0642d8889464d29ee388392a3883a0e6438c57f6c3a723a2d6c62d9e4c0c975b98b70dcb5770d57814b
SSDEEP

3072:FGu9BlfzWIbXWm+w0Je5RmtZo1Lds5jPEEOTjv0Z/dMNGfuaxJHIOShA3YloF1Tj:F/0uoU22Rds5b5kv0Z/sGTJHvIg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4628	ppi.exe
636	ppi.exe
868	keygen.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e19-145.dat	upx
behavioral2/files/0x0006000000022e19-144.dat	upx
behavioral2/memory/868-147-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/868-149-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 636	4628	ppi.exe	81

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	980	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4628	ppi.exe
636	ppi.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4628	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	79
PID 2424 wrote to memory of 4628	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	79
PID 2424 wrote to memory of 4628	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	79
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 4628 wrote to memory of 636	4628	ppi.exe	81
PID 2424 wrote to memory of 868	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	80
PID 2424 wrote to memory of 868	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	80
PID 2424 wrote to memory of 868	2424	92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe	80

C:\Users\Admin\AppData\Local\Temp\92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe
"C:\Users\Admin\AppData\Local\Temp\92958f168d4357f1ab210402c9b5f3bdf28c0349f367e37aea7869e053e82527.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\keygen.exe
  2⤵
  - Executes dropped EXE
  PID:868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\keygen.exe

Filesize
82KB

MD5
6498858395d627c8bb03f6ff26775616

SHA1
c3257460699ce835074639772d3ff68bd49e6de6

SHA256
9f5fc2783be52f71f4a7c4d4f354525ae55d45eba76c6b51ca7e159d1dbedaea

SHA512
5d19fc4e610abb81d04ffe6415e8523be1e08162ab6ed20dbcf8c218dc0da4f669067c0d9bd35fe95d00307d2e8c7eb1e270c6f11d7ca1a053acd5de00d41cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\keygen.exe

Filesize
82KB

MD5
6498858395d627c8bb03f6ff26775616

SHA1
c3257460699ce835074639772d3ff68bd49e6de6

SHA256
9f5fc2783be52f71f4a7c4d4f354525ae55d45eba76c6b51ca7e159d1dbedaea

SHA512
5d19fc4e610abb81d04ffe6415e8523be1e08162ab6ed20dbcf8c218dc0da4f669067c0d9bd35fe95d00307d2e8c7eb1e270c6f11d7ca1a053acd5de00d41cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
316KB

MD5
884627f37f400e125c84384e9a4f9346

SHA1
183605e13894923ac8a504a4083c272af3e8ff92

SHA256
adbb70f4f49f6cf5ae7d65c21470fcdbdd9360f69c6cfd104d336fd1f59a6ae1

SHA512
ebab733ad35482e9a7720e4295df0fa37690adef3b9bf93b5c775e0d1843bf2c41aa81c832c6f75eac919dc29deb07a44771c580fa59caaffdb7737ad849f092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
316KB

MD5
884627f37f400e125c84384e9a4f9346

SHA1
183605e13894923ac8a504a4083c272af3e8ff92

SHA256
adbb70f4f49f6cf5ae7d65c21470fcdbdd9360f69c6cfd104d336fd1f59a6ae1

SHA512
ebab733ad35482e9a7720e4295df0fa37690adef3b9bf93b5c775e0d1843bf2c41aa81c832c6f75eac919dc29deb07a44771c580fa59caaffdb7737ad849f092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
316KB

MD5
884627f37f400e125c84384e9a4f9346

SHA1
183605e13894923ac8a504a4083c272af3e8ff92

SHA256
adbb70f4f49f6cf5ae7d65c21470fcdbdd9360f69c6cfd104d336fd1f59a6ae1

SHA512
ebab733ad35482e9a7720e4295df0fa37690adef3b9bf93b5c775e0d1843bf2c41aa81c832c6f75eac919dc29deb07a44771c580fa59caaffdb7737ad849f092

Download Submit
memory/636-146-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/636-148-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/636-138-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/636-137-0x0000000000000000-mapping.dmp

Download
memory/868-143-0x0000000000000000-mapping.dmp

Download
memory/868-147-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/868-149-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing