ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390

General

Target

ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
Size

1.0MB
MD5

68f6ccfc7adc1f07a3b2976a55bfe935
SHA1

d621d37d26429f90be4ddbc632da795951d1ccdd
SHA256

ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390
SHA512

1bea3e9ab40ac3aa5c36a3ebf377c8a7e08e710c84e50ebe17116bfe6b3892444f7181d7dfb6067ecafe62a22b4cae6b9682910f0412e3d12185541d986b02f0
SSDEEP

24576:THm+yp+C2zCO5/9j/De22taI1yh+uPmcoMiSGgTuMLGCTT9:jrPC6CO5x/De22td1ShoPRwjf9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3640	ctrl12.exe
1868	ctrl12.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3640	4760	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	80
PID 4760 wrote to memory of 3640	4760	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	80
PID 4760 wrote to memory of 3640	4760	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	80
PID 3640 wrote to memory of 2924	3640	ctrl12.exe	82
PID 3640 wrote to memory of 2924	3640	ctrl12.exe	82
PID 3640 wrote to memory of 2924	3640	ctrl12.exe	82
PID 2924 wrote to memory of 3924	2924	cmd.exe	83
PID 2924 wrote to memory of 3924	2924	cmd.exe	83
PID 2924 wrote to memory of 3924	2924	cmd.exe	83
PID 3924 wrote to memory of 1524	3924	cmd.exe	84
PID 3924 wrote to memory of 1524	3924	cmd.exe	84
PID 3924 wrote to memory of 1524	3924	cmd.exe	84
PID 2924 wrote to memory of 1716	2924	cmd.exe	85
PID 2924 wrote to memory of 1716	2924	cmd.exe	85
PID 2924 wrote to memory of 1716	2924	cmd.exe	85
PID 2924 wrote to memory of 2292	2924	cmd.exe	86
PID 2924 wrote to memory of 2292	2924	cmd.exe	86
PID 2924 wrote to memory of 2292	2924	cmd.exe	86
PID 2924 wrote to memory of 1868	2924	cmd.exe	87
PID 2924 wrote to memory of 1868	2924	cmd.exe	87
PID 2924 wrote to memory of 1868	2924	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
"C:\Users\Admin\AppData\Local\Temp\ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MSCOMCF02D_.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKCU\Software\Valve\Steam" /v SteamPath
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c TIME /T
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c date/T
      4⤵
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
      ctrl12.exe "msftqws.pzw_/d03458a5d0n3f7d8ec54c/10-12-Sat_1259_Admin.hdr" //Clientregistry.blob
      4⤵
      Executes dropped EXE
      PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSCOMCF02D_.bat

Filesize
754B

MD5
dabf7644854b35bfeb8c426ec3ca88f3

SHA1
4c8e0c9e3c2af131526380199e9c2ff616dc143c

SHA256
00dca29611b629e056e62383a86686d3c9c1f9e02110dd2f168b1c15c70639e2

SHA512
ec2939dce7e407583181a0e1d1f0b1c13c6d2b2814bf355d28e2c166588c23146a401ee4db763dfabe71defcadb4ebcbe258d656475ecf70a0c01b10b6bc3320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit

Analysis

Sharing