503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34

General

Target

503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe
Size

781KB
MD5

12140265e812756acf32e1a81774f77a
SHA1

3616d86bd9e6d4cf51dca68135da81736766f0dd
SHA256

503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34
SHA512

97471ad4b21dc70888bf05c62a1a961216eeba34eaae1b3da54e618561e72ab5288a2490064cf5fd37bb3aa579b9f3f7ca926c90e5ef952bbcaa91f5fe3b9aa9
SSDEEP

12288:vMr2y90qgFFukn/Tm7R8X84BUBZlCa1nhgVhWRdApDW/zR5/XZUranwqUFO:hyLa1/Tm7ROutOPwd5/pU+nwqUQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
528	vct58.exe
3848	vta85.exe
3080	dup98.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vct58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vct58.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vta85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vta85.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 528	3412	503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe	80
PID 3412 wrote to memory of 528	3412	503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe	80
PID 3412 wrote to memory of 528	3412	503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe	80
PID 528 wrote to memory of 3848	528	vct58.exe	81
PID 528 wrote to memory of 3848	528	vct58.exe	81
PID 528 wrote to memory of 3848	528	vct58.exe	81
PID 3848 wrote to memory of 3080	3848	vta85.exe	82
PID 3848 wrote to memory of 3080	3848	vta85.exe	82
PID 3848 wrote to memory of 3080	3848	vta85.exe	82

C:\Users\Admin\AppData\Local\Temp\503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe
"C:\Users\Admin\AppData\Local\Temp\503e6dd99a92cd5b6045e37fde6626c219d9466b534906b7ddccb729d91b2f34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vct58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vct58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vta85.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vta85.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dup98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dup98.exe
      4⤵
      Executes dropped EXE
      PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vct58.exe

Filesize
677KB

MD5
91c9623a9d02ecc37e33aefcb1a64342

SHA1
87fc3a0fd8189b61561cddaa049b0e18a5c9d40e

SHA256
5eb0f19aca288acb444faf17502974f8a16254f2a2754933c6410dcd43325155

SHA512
2514145ced516a401b38a269bee481b1179b2add3eda7a3e51e08f55ffd51c81ab0000d5afa26f162537eb52d79518224b1d05e95ad6e1025370163ca7295b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vct58.exe

Filesize
677KB

MD5
91c9623a9d02ecc37e33aefcb1a64342

SHA1
87fc3a0fd8189b61561cddaa049b0e18a5c9d40e

SHA256
5eb0f19aca288acb444faf17502974f8a16254f2a2754933c6410dcd43325155

SHA512
2514145ced516a401b38a269bee481b1179b2add3eda7a3e51e08f55ffd51c81ab0000d5afa26f162537eb52d79518224b1d05e95ad6e1025370163ca7295b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vta85.exe

Filesize
532KB

MD5
ff1c65618d9eccd12e4671edc6aefa68

SHA1
b67e2b1740374bb39f21d3bb2c5dfbb0250414e5

SHA256
a98cef5fd8791f82f547d75ed3bd5de1f5a4bd3398801928e28b565c274cdaf0

SHA512
3c2b03d4c071283fe92ab212b3d19f4a23bb397b9f008d7960ac9048653c1952bb8f6e0eec65ac10ababdcdd0b226f8946cd09c2ab37260236878bb4d802bc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vta85.exe

Filesize
532KB

MD5
ff1c65618d9eccd12e4671edc6aefa68

SHA1
b67e2b1740374bb39f21d3bb2c5dfbb0250414e5

SHA256
a98cef5fd8791f82f547d75ed3bd5de1f5a4bd3398801928e28b565c274cdaf0

SHA512
3c2b03d4c071283fe92ab212b3d19f4a23bb397b9f008d7960ac9048653c1952bb8f6e0eec65ac10ababdcdd0b226f8946cd09c2ab37260236878bb4d802bc45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dup98.exe

Filesize
338KB

MD5
cb2d93db92499f0d807e5de936216415

SHA1
6599f128b4914dfa7085a114f765f28ab2383366

SHA256
8b784da006ef6549b3db738ed63352e81be6cf5941330388e02b72ec188c41f6

SHA512
af7c64d82e6d728cbbaf73e39f3f5203a6a575e06dd8e847f937460df83aeadc1599d45e6edc1af35bef60ac899e369f96b181932e25bce850fe179a05e6ba66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dup98.exe

Filesize
338KB

MD5
cb2d93db92499f0d807e5de936216415

SHA1
6599f128b4914dfa7085a114f765f28ab2383366

SHA256
8b784da006ef6549b3db738ed63352e81be6cf5941330388e02b72ec188c41f6

SHA512
af7c64d82e6d728cbbaf73e39f3f5203a6a575e06dd8e847f937460df83aeadc1599d45e6edc1af35bef60ac899e369f96b181932e25bce850fe179a05e6ba66

Download Submit
memory/3080-141-0x0000000000AE3000-0x0000000000B12000-memory.dmp

Filesize
188KB

Download
memory/3080-142-0x00000000008D0000-0x000000000091B000-memory.dmp

Filesize
300KB

Download
memory/3080-143-0x0000000000AE3000-0x0000000000B12000-memory.dmp

Filesize
188KB

Download
memory/3080-144-0x0000000000400000-0x00000000007B1000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing