b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074

General

Target

b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Size

913KB
MD5

86e0fb117a961899da25cc5cbc88cdc2
SHA1

05f5b3cd44a736bc3e4942567d7bb890a8290261
SHA256

b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074
SHA512

5e5bc9e9e73cdb3062a39ea5396e9674ed2aa516143eddb7a872e9e3a33899fa9a33d6c8f50a6871da924ac87ffad5a480a42fef2c1abfaa5704b3b115d17e4e
SSDEEP

24576:Cy0qjc7UAZ0ZWetCnlTOQ2dJ1OGpQMpebNskg:p05UU0Zbt4laQ+J1Tte

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
848	st457823.exe
1196	63758606.exe

Loads dropped DLL 4 IoCs

pid	Process
1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
848	st457823.exe
848	st457823.exe
1196	63758606.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st457823.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st457823.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	63758606.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 1204 wrote to memory of 848	1204	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	28
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29
PID 848 wrote to memory of 1196	848	st457823.exe	29

C:\Users\Admin\AppData\Local\Temp\b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
"C:\Users\Admin\AppData\Local\Temp\b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
memory/1196-95-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-105-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-76-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-77-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-79-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-81-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-83-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-85-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-87-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-89-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-91-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-93-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-74-0x00000000022E0000-0x0000000002338000-memory.dmp

Filesize
352KB

Download
memory/1196-97-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-101-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-75-0x00000000048B0000-0x0000000004906000-memory.dmp

Filesize
344KB

Download
memory/1196-103-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-107-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-111-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-113-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-117-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-119-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-121-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-123-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-125-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-128-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/1196-127-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/1196-115-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-109-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-99-0x00000000048B0000-0x0000000004901000-memory.dmp

Filesize
324KB

Download
memory/1196-129-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/1196-130-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing