51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c

General

Target

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Size

420KB
MD5

1517814c4d44cc632abb52d2d6307f15
SHA1

9ee0404b76fe5bda2692f049bb9fc78e17240708
SHA256

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
SHA512

34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
SSDEEP

6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1.xyz

pid process

1116 1.xyz

pid	process
1116	1.xyz

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx
behavioral1/memory/1116-67-0x0000000000400000-0x0000000001400000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz	upx

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe1.xyz

pid	process
1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
1116	1.xyz

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1.xyz

pid process

1116 1.xyz
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1.xyz

pid process

1116 1.xyz
1116 1.xyz

pid	process
1116	1.xyz

pid	process
1116	1.xyz
1116	1.xyz

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe1.xyz

description	pid	process	target process
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1120 wrote to memory of 1116	1120	91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe	1.xyz
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1740	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe
PID 1116 wrote to memory of 1724	1116	1.xyz	cmd.exe

C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
"C:\Users\Admin\AppData\Local\Temp\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
3⤵
- Drops startup file
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
3⤵
PID:2008

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xy_
Filesize
132KB

MD5
4b28fc60df0738257092268a36fe321e

SHA1
f3440893908f4e59099664ce0abd323ada87e05c

SHA256
7b7170132465e0f87bf9a411324a07c27dd49268f4e9fd8f9d2b61e703b4bd29

SHA512
9335d367203da5d9cb452ca12eda00aa26ce451b0ed5d4fea3fbe1cee258b35b983ce96f25745855063fd35f065ed865cce9e9053c5bb29f1b97db6e31e5cb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
Filesize
212KB

MD5
b2af3b332d92fc09b79c4bf85263fd22

SHA1
cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

SHA256
b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

SHA512
b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

Download Submit
memory/1116-68-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1116-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1116-57-0x0000000000000000-mapping.dmp

Download
memory/1116-76-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/1120-64-0x0000000002470000-0x0000000003470000-memory.dmp

Filesize
16.0MB

Download
memory/1120-65-0x0000000002470000-0x0000000003470000-memory.dmp

Filesize
16.0MB

Download
memory/1120-66-0x0000000002470000-0x0000000003470000-memory.dmp

Filesize
16.0MB

Download
memory/1120-54-0x0000000075E71000-0x0000000075E73000-memory.dmp

Filesize
8KB

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x0000000000000000-mapping.dmp

Download
memory/2008-71-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2008-72-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/2008-73-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads