2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91

General

Target

2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe
Size

838KB
MD5

c82b84a491907fb27d40d03f188db034
SHA1

4aa9022dc53648134b425f26f7136947aad29901
SHA256

2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91
SHA512

4d8474f303804f2d7be131102ae8966252c361dd260bd18c80eff812f8bee524e41e566bec6c49649911a315cbaebb0a210095a5486ee66c4cfa1b3cd1251656
SSDEEP

24576:vyrvHBF75mxS0XUKCgIG7wd7mYgb4pX4LJoNz:6LBtoVlIG7wd7mz4Sdg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5040	vPM32.exe
1944	vqN82.exe
4308	dDy09.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vqN82.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vPM32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vPM32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vqN82.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	dDy09.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 5040	448	2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe	80
PID 448 wrote to memory of 5040	448	2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe	80
PID 448 wrote to memory of 5040	448	2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe	80
PID 5040 wrote to memory of 1944	5040	vPM32.exe	82
PID 5040 wrote to memory of 1944	5040	vPM32.exe	82
PID 5040 wrote to memory of 1944	5040	vPM32.exe	82
PID 1944 wrote to memory of 4308	1944	vqN82.exe	84
PID 1944 wrote to memory of 4308	1944	vqN82.exe	84
PID 1944 wrote to memory of 4308	1944	vqN82.exe	84

C:\Users\Admin\AppData\Local\Temp\2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe
"C:\Users\Admin\AppData\Local\Temp\2bfb0086fa161f5ee447cd96ffe25a1cee254683a927f887a2651a4a7847ef91.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vPM32.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vPM32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vqN82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vqN82.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDy09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDy09.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vPM32.exe

Filesize
734KB

MD5
acd08cde46e2ebf8bde6902b1db797fb

SHA1
c29285c77c4a6df9a814e39e10c8a3b5cf63ebcc

SHA256
20f4c06d18aff84ff5ead9bde7069ded1d79f3d07727ff6c9c678c7a3ec89d17

SHA512
9b8d4a8ed6286016bdde74e427cc8b2becda420b589efe21eab5b9e39254a0def897de4247bab21349a22be582ace89c8c578731f73289efb84ff9002026086e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vPM32.exe

Filesize
734KB

MD5
acd08cde46e2ebf8bde6902b1db797fb

SHA1
c29285c77c4a6df9a814e39e10c8a3b5cf63ebcc

SHA256
20f4c06d18aff84ff5ead9bde7069ded1d79f3d07727ff6c9c678c7a3ec89d17

SHA512
9b8d4a8ed6286016bdde74e427cc8b2becda420b589efe21eab5b9e39254a0def897de4247bab21349a22be582ace89c8c578731f73289efb84ff9002026086e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vqN82.exe

Filesize
589KB

MD5
00ff8b735fd97722eb6b36093a5a858a

SHA1
2fc53acbeadaea354fa4ef40cfc25e22bc1583f1

SHA256
1a0f19ad94c56dd3620a9122eb74614df451224964db9ba1e7f76d417ddcd5ab

SHA512
e90893a7cf6cf23d2b6918a32cbb8a2cec72fa25f8276c91f367b5d3dcb081214239dc17bc228ce0bbda2aaba278baef6c504a9f8e86b7098e8f36e1770dbff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vqN82.exe

Filesize
589KB

MD5
00ff8b735fd97722eb6b36093a5a858a

SHA1
2fc53acbeadaea354fa4ef40cfc25e22bc1583f1

SHA256
1a0f19ad94c56dd3620a9122eb74614df451224964db9ba1e7f76d417ddcd5ab

SHA512
e90893a7cf6cf23d2b6918a32cbb8a2cec72fa25f8276c91f367b5d3dcb081214239dc17bc228ce0bbda2aaba278baef6c504a9f8e86b7098e8f36e1770dbff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDy09.exe

Filesize
485KB

MD5
b6bb42f4aa9721285b43a6adc19072b5

SHA1
dedc3f102b1fe01f7dbf458b93d0515e8ea23031

SHA256
75ca46cc315ec8fa53a488a1508573649f03ee7668568b6dcac411811addac59

SHA512
effa55712327b441c34025ecd2ea095aef7d6dbcb09de5891b2a4a1ee29af89a5827ba02ffb57bd77c6c680e8eca906ea68ecdd7f94fa6752dddadbcc20d8e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDy09.exe

Filesize
485KB

MD5
b6bb42f4aa9721285b43a6adc19072b5

SHA1
dedc3f102b1fe01f7dbf458b93d0515e8ea23031

SHA256
75ca46cc315ec8fa53a488a1508573649f03ee7668568b6dcac411811addac59

SHA512
effa55712327b441c34025ecd2ea095aef7d6dbcb09de5891b2a4a1ee29af89a5827ba02ffb57bd77c6c680e8eca906ea68ecdd7f94fa6752dddadbcc20d8e64

Download Submit
memory/1944-135-0x0000000000000000-mapping.dmp

Download
memory/4308-142-0x0000000002160000-0x00000000021AB000-memory.dmp

Filesize
300KB

Download
memory/4308-138-0x0000000000000000-mapping.dmp

Download
memory/4308-141-0x0000000000514000-0x0000000000543000-memory.dmp

Filesize
188KB

Download
memory/4308-143-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4308-144-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/4308-145-0x0000000000514000-0x0000000000543000-memory.dmp

Filesize
188KB

Download
memory/4308-146-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/4308-147-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/4308-148-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/4308-149-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/4308-150-0x0000000001F80000-0x0000000002012000-memory.dmp

Filesize
584KB

Download
memory/4308-151-0x0000000004B80000-0x0000000004BE6000-memory.dmp

Filesize
408KB

Download
memory/5040-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing