7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d

General

Target

7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe
Size

766KB
MD5

3a5b7b257f4f818707b3407801cd94c5
SHA1

0248a400144ceca30ca84aca4000129856b8f695
SHA256

7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d
SHA512

a4546aba84bae37f077db0d8f68e59c09e223db04aff1fc83184b88521f95066a9cb6e5657ea714b802710a899eb58c2461b953042b38de0d75f40aa7eeeb93e
SSDEEP

12288:kMrPy90HTIZiFb7VnncPHGEemhWmkCIhceBVRh8l4pPaycPBf+SnzFNfq:bySIkFnVnaHGnmhW716qDEeyycZf+Snm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4832	vGK11.exe
4636	vQA30.exe
4932	dUv39.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vGK11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vGK11.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vQA30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vQA30.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	dUv39.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4832	2708	7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe	78
PID 2708 wrote to memory of 4832	2708	7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe	78
PID 2708 wrote to memory of 4832	2708	7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe	78
PID 4832 wrote to memory of 4636	4832	vGK11.exe	79
PID 4832 wrote to memory of 4636	4832	vGK11.exe	79
PID 4832 wrote to memory of 4636	4832	vGK11.exe	79
PID 4636 wrote to memory of 4932	4636	vQA30.exe	80
PID 4636 wrote to memory of 4932	4636	vQA30.exe	80
PID 4636 wrote to memory of 4932	4636	vQA30.exe	80

C:\Users\Admin\AppData\Local\Temp\7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe
"C:\Users\Admin\AppData\Local\Temp\7200486a9bdd4e3d98ecffd4df5b14c6d96010a0475e01930b11282ec679da5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGK11.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGK11.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQA30.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQA30.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUv39.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUv39.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGK11.exe

Filesize
662KB

MD5
ff88d5f03f4cc374f0b3d4a1fcc5d65f

SHA1
0455314955f7b8e91ad497962733db950ea09579

SHA256
3d5f1e2aa025705aa66237fa3e70e450d64d9efd84978c9ea9c025a781c3624d

SHA512
34bd1fa51ea99416cd9ca0775f447047bc22fb13f09e335db129135c1bdb5dd029c060b4a4adf7f1551b70143e4b142bd2905259f5d2d1eb67533aa9436ff2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGK11.exe

Filesize
662KB

MD5
ff88d5f03f4cc374f0b3d4a1fcc5d65f

SHA1
0455314955f7b8e91ad497962733db950ea09579

SHA256
3d5f1e2aa025705aa66237fa3e70e450d64d9efd84978c9ea9c025a781c3624d

SHA512
34bd1fa51ea99416cd9ca0775f447047bc22fb13f09e335db129135c1bdb5dd029c060b4a4adf7f1551b70143e4b142bd2905259f5d2d1eb67533aa9436ff2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQA30.exe

Filesize
517KB

MD5
06d3c910fa67fa67de4154db8749191f

SHA1
6de2733f5b5c14da501484d41b8e3612ad7fee25

SHA256
1627b5065d138589d2e17b1af19c8e9fbdf5def1cb3e7f4fc59b04314154203d

SHA512
3abfa958cd2b6a1ed52416ffd2d1b2685c93e988389a451d8d7bd80e2d1251b8501010cba0834ac9ecf30adfbfddc7558a02e568755f4156073781c53d87535b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vQA30.exe

Filesize
517KB

MD5
06d3c910fa67fa67de4154db8749191f

SHA1
6de2733f5b5c14da501484d41b8e3612ad7fee25

SHA256
1627b5065d138589d2e17b1af19c8e9fbdf5def1cb3e7f4fc59b04314154203d

SHA512
3abfa958cd2b6a1ed52416ffd2d1b2685c93e988389a451d8d7bd80e2d1251b8501010cba0834ac9ecf30adfbfddc7558a02e568755f4156073781c53d87535b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUv39.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dUv39.exe

Filesize
295KB

MD5
d8dc91e4e92e8180ed954ad107ef273a

SHA1
71a90521a00c976b51a3bb871ae084ff7b82fd85

SHA256
1bf985d2fad051952b94362e61093806795a0b79ec6641e75cf9e194d770abd3

SHA512
772a25964a00375ea5ed6132b8d335e63d182f7744b8662aa99a4bd29f43a80e80f908bc17cd2f7351f5685b4de5844cea1b78f674b1fb0551e2ffd83b29020f

Download Submit
memory/4932-142-0x0000000002420000-0x000000000246B000-memory.dmp

Filesize
300KB

Download
memory/4932-141-0x0000000000A64000-0x0000000000A93000-memory.dmp

Filesize
188KB

Download
memory/4932-143-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/4932-144-0x0000000000A64000-0x0000000000A93000-memory.dmp

Filesize
188KB

Download
memory/4932-145-0x0000000000400000-0x00000000007A6000-memory.dmp

Filesize
3.6MB

Download
memory/4932-146-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/4932-147-0x00000000056E0000-0x0000000005CF8000-memory.dmp

Filesize
6.1MB

Download
memory/4932-148-0x0000000005010000-0x000000000511A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-149-0x0000000002C80000-0x0000000002C92000-memory.dmp

Filesize
72KB

Download
memory/4932-150-0x0000000005D00000-0x0000000005D3C000-memory.dmp

Filesize
240KB

Download
memory/4932-151-0x00000000022E0000-0x0000000002372000-memory.dmp

Filesize
584KB

Download
memory/4932-152-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing