9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525

General

Target

9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe
Size

1.2MB
MD5

ba90928dd8042ee77e5df1b93e40274f
SHA1

132a70a0120715c225ca9430a899681e96393400
SHA256

9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525
SHA512

52f5fef81010206dee074d47abaaf694e1d5cd127a512fa5c74ae830ce58eef7c31a24a721fa811a3bdb1d2bfa9fc164768b1fcc875bd13f7f61f6a1d78c7a13
SSDEEP

24576:IydZDVti4OzGfmKfb3hZHlK+OHFvsDUgVfodjAwzj3/wXlsJQoW/8L:PdpVti46OnT3XHlPOHJ+XVfmpjvw1smo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

z62027351.exez12300861.exez92255667.exes47451374.exe

pid process

4112 z62027351.exe
1892 z12300861.exe
2340 z92255667.exe
1364 s47451374.exe

pid	process
4112	z62027351.exe
1892	z12300861.exe
2340	z92255667.exe
1364	s47451374.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exez62027351.exez12300861.exez92255667.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z62027351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z62027351.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z12300861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z12300861.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z92255667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z92255667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s47451374.exe

description pid process

Token: SeDebugPrivilege 1364 s47451374.exe

description	pid	process
Token: SeDebugPrivilege	1364	s47451374.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exez62027351.exez12300861.exez92255667.exe

description	pid	process	target process
PID 3748 wrote to memory of 4112	3748	9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe	z62027351.exe
PID 3748 wrote to memory of 4112	3748	9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe	z62027351.exe
PID 3748 wrote to memory of 4112	3748	9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe	z62027351.exe
PID 4112 wrote to memory of 1892	4112	z62027351.exe	z12300861.exe
PID 4112 wrote to memory of 1892	4112	z62027351.exe	z12300861.exe
PID 4112 wrote to memory of 1892	4112	z62027351.exe	z12300861.exe
PID 1892 wrote to memory of 2340	1892	z12300861.exe	z92255667.exe
PID 1892 wrote to memory of 2340	1892	z12300861.exe	z92255667.exe
PID 1892 wrote to memory of 2340	1892	z12300861.exe	z92255667.exe
PID 2340 wrote to memory of 1364	2340	z92255667.exe	s47451374.exe
PID 2340 wrote to memory of 1364	2340	z92255667.exe	s47451374.exe
PID 2340 wrote to memory of 1364	2340	z92255667.exe	s47451374.exe

C:\Users\Admin\AppData\Local\Temp\9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe
"C:\Users\Admin\AppData\Local\Temp\9db89ee5936d4cae0e3dfd2db544843af796bf43e5a00768e00d2ed6f6127525.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62027351.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62027351.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12300861.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12300861.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92255667.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92255667.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47451374.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47451374.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62027351.exe
Filesize
1.0MB

MD5
481d22095d3bb0ff46daa18c97c2b878

SHA1
a218b3de8c8543615cabaade49837037301226cf

SHA256
c9b05e9c3ee606b6af1fe28d090b077a4fd35dd3091108304362260e069adfc8

SHA512
77ba6eb08a277c53172f556b3c1bc7a8448b7733905d1662e056d61c179173e6b80e401bdf79d5e5a26b6fd19840ae4bb8f698a0b71de36d3104b8f6942079bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z62027351.exe
Filesize
1.0MB

MD5
481d22095d3bb0ff46daa18c97c2b878

SHA1
a218b3de8c8543615cabaade49837037301226cf

SHA256
c9b05e9c3ee606b6af1fe28d090b077a4fd35dd3091108304362260e069adfc8

SHA512
77ba6eb08a277c53172f556b3c1bc7a8448b7733905d1662e056d61c179173e6b80e401bdf79d5e5a26b6fd19840ae4bb8f698a0b71de36d3104b8f6942079bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12300861.exe
Filesize
760KB

MD5
7e730bc26a0d6c327a80abb4c5fdb920

SHA1
27721cc8a8f9c544ce478b0368e9c0a73b85bf39

SHA256
ebc9a2acfbbefef03142f21dea01d2fd5aa3ff5be16b7b1b89413e7f24ad96b0

SHA512
192e3cd457fa55b74e9b9a960ef1e186df132b2e639d34eead0915b4b66b5d576f2794d9667fbe0017013cf64f72cd9a20dc0724c13ca7abc48c857acd7ff759

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z12300861.exe
Filesize
760KB

MD5
7e730bc26a0d6c327a80abb4c5fdb920

SHA1
27721cc8a8f9c544ce478b0368e9c0a73b85bf39

SHA256
ebc9a2acfbbefef03142f21dea01d2fd5aa3ff5be16b7b1b89413e7f24ad96b0

SHA512
192e3cd457fa55b74e9b9a960ef1e186df132b2e639d34eead0915b4b66b5d576f2794d9667fbe0017013cf64f72cd9a20dc0724c13ca7abc48c857acd7ff759

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92255667.exe
Filesize
578KB

MD5
a05596ae0274bce308a7ea7a375068dc

SHA1
30f7aede4fc6ef8419e4269c6489f9be439142e2

SHA256
9bb95d8858e84bb5798a6439024f4b1c0f1d73a866db202b513401e529b29ea8

SHA512
3b8eb91719ad639596a55b852f27133a2ff61c48a6b2ed172bfc05dabbeec480c562d6fdf3d61f977a1b5a996710c13787578ada304907070f9ae0021ace3686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z92255667.exe
Filesize
578KB

MD5
a05596ae0274bce308a7ea7a375068dc

SHA1
30f7aede4fc6ef8419e4269c6489f9be439142e2

SHA256
9bb95d8858e84bb5798a6439024f4b1c0f1d73a866db202b513401e529b29ea8

SHA512
3b8eb91719ad639596a55b852f27133a2ff61c48a6b2ed172bfc05dabbeec480c562d6fdf3d61f977a1b5a996710c13787578ada304907070f9ae0021ace3686

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47451374.exe
Filesize
575KB

MD5
67c9a573f02ba562366bfc9995ac1909

SHA1
446500cbf6e258fb35ebc602d3cdc926bd639c1e

SHA256
09f385c1b1ecf005ab4b28b187bb510cfecddb2884355aa319a409c7392ff057

SHA512
48a1440239adc8dd5d4c2793df94f14ff6d7773e74039c7d35ff0b3da70670540aadc608bf0d49a29a68de2ca7f1ba9332a2567702bc6ede8cbec9be32b6ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s47451374.exe
Filesize
575KB

MD5
67c9a573f02ba562366bfc9995ac1909

SHA1
446500cbf6e258fb35ebc602d3cdc926bd639c1e

SHA256
09f385c1b1ecf005ab4b28b187bb510cfecddb2884355aa319a409c7392ff057

SHA512
48a1440239adc8dd5d4c2793df94f14ff6d7773e74039c7d35ff0b3da70670540aadc608bf0d49a29a68de2ca7f1ba9332a2567702bc6ede8cbec9be32b6ac79

Download Submit
memory/1364-162-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/1364-163-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/1364-164-0x0000000000910000-0x000000000096B000-memory.dmp

Filesize
364KB

Download
memory/1364-165-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/1364-167-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/1364-169-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/1364-170-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1364-171-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1364-173-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1364-174-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1364-175-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1364-176-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-177-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-179-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-181-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-183-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-185-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-187-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-189-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-191-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-193-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-195-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-197-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-199-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-201-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-203-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-205-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-207-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-209-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-211-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-213-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-215-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-217-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-219-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-221-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-223-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-225-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-227-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-229-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-231-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-233-0x0000000002B40000-0x0000000002BA0000-memory.dmp

Filesize
384KB

Download
memory/1364-2324-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing