f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f

General

Target

f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe
Size

1.5MB
MD5

a3e9220cda25b3fe2c2963c7eba694bf
SHA1

f0518972d2bf555d66793ab4e357e0eaa4e6297c
SHA256

f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f
SHA512

37d8b61765adc2c16eac62388b896130a0b60b35291b7888e2b65082e6d514a3f27fac6884f6adf471efd757852b044f6e1bd1148138ee11e1de131f43365a85
SSDEEP

49152:szMjetJRzS2tzBkIjCwqm0YTaKPhOkp+Mwhh8:KNJRzhtz9GGTLZLpmhh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za226691.exeza863199.exeza651923.exe63873317.exe

pid process

3360 za226691.exe
2236 za863199.exe
460 za651923.exe
2196 63873317.exe

pid	process
3360	za226691.exe
2236	za863199.exe
460	za651923.exe
2196	63873317.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za651923.exef86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exeza226691.exeza863199.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za651923.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za226691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za226691.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za863199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za863199.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za651923.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

63873317.exe

description pid process

Token: SeDebugPrivilege 2196 63873317.exe

description	pid	process
Token: SeDebugPrivilege	2196	63873317.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exeza226691.exeza863199.exeza651923.exe

description	pid	process	target process
PID 1576 wrote to memory of 3360	1576	f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe	za226691.exe
PID 1576 wrote to memory of 3360	1576	f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe	za226691.exe
PID 1576 wrote to memory of 3360	1576	f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe	za226691.exe
PID 3360 wrote to memory of 2236	3360	za226691.exe	za863199.exe
PID 3360 wrote to memory of 2236	3360	za226691.exe	za863199.exe
PID 3360 wrote to memory of 2236	3360	za226691.exe	za863199.exe
PID 2236 wrote to memory of 460	2236	za863199.exe	za651923.exe
PID 2236 wrote to memory of 460	2236	za863199.exe	za651923.exe
PID 2236 wrote to memory of 460	2236	za863199.exe	za651923.exe
PID 460 wrote to memory of 2196	460	za651923.exe	63873317.exe
PID 460 wrote to memory of 2196	460	za651923.exe	63873317.exe
PID 460 wrote to memory of 2196	460	za651923.exe	63873317.exe

C:\Users\Admin\AppData\Local\Temp\f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe
"C:\Users\Admin\AppData\Local\Temp\f86810b4123abd6ae0f6f64c23df45d7f88e4c8ba8a9ceaafb6a0a83441bbb9f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za226691.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za226691.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za863199.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za863199.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za651923.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za651923.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:460

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\63873317.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\63873317.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za226691.exe
Filesize
1.4MB

MD5
0690f395260bc1358e883bf085fa99cd

SHA1
c2a018441d7f5e59435b9f90b2698247c105b915

SHA256
b8ce10ad5f8cb53a89706f38601f4e321cada64a0ff0f864116def13013b9ef9

SHA512
91a37bc76a597f2f0a9590ea8705b44608d51760d2f84e6a64708f3b09c2f738a144876ad89fe765df9e8a99eeafd2e8300f769c11c12934f14022fc1983d097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za226691.exe
Filesize
1.4MB

MD5
0690f395260bc1358e883bf085fa99cd

SHA1
c2a018441d7f5e59435b9f90b2698247c105b915

SHA256
b8ce10ad5f8cb53a89706f38601f4e321cada64a0ff0f864116def13013b9ef9

SHA512
91a37bc76a597f2f0a9590ea8705b44608d51760d2f84e6a64708f3b09c2f738a144876ad89fe765df9e8a99eeafd2e8300f769c11c12934f14022fc1983d097

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za863199.exe
Filesize
898KB

MD5
93e2d1848578e3877345e56e5dab9a96

SHA1
11d1f7a95819e15ae82b7891560bc620ce406b4b

SHA256
24a5c1bb09c10a16401079622e9c9cde7e476cff61394922d8d9514a9cf30547

SHA512
99bd751640b27667c2c45efd19e2ba1f8b6bdc3e1ff2e55023f66265c0175c8175811314c90b4f675f0858f2e4a8b621c4904e192f375714c3160626bc173cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za863199.exe
Filesize
898KB

MD5
93e2d1848578e3877345e56e5dab9a96

SHA1
11d1f7a95819e15ae82b7891560bc620ce406b4b

SHA256
24a5c1bb09c10a16401079622e9c9cde7e476cff61394922d8d9514a9cf30547

SHA512
99bd751640b27667c2c45efd19e2ba1f8b6bdc3e1ff2e55023f66265c0175c8175811314c90b4f675f0858f2e4a8b621c4904e192f375714c3160626bc173cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za651923.exe
Filesize
716KB

MD5
b44f5aa6bb820af00112da51a52bb5a4

SHA1
a78256a6c1bd333068af8262b9c4c3eefb90539e

SHA256
10c59b4d3d51c85e486e36756447b23c85dd9e7ffc05bae4378ed15038e1ff81

SHA512
db7d39ffcb6395587bbb8a3f0ac3485ae973a70b1f88a2c4df2ac1ec89333ef573bf3d71b342a14a83c7eb33dd3a687a14f0b436d2a2f6e6a0910660d479d0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za651923.exe
Filesize
716KB

MD5
b44f5aa6bb820af00112da51a52bb5a4

SHA1
a78256a6c1bd333068af8262b9c4c3eefb90539e

SHA256
10c59b4d3d51c85e486e36756447b23c85dd9e7ffc05bae4378ed15038e1ff81

SHA512
db7d39ffcb6395587bbb8a3f0ac3485ae973a70b1f88a2c4df2ac1ec89333ef573bf3d71b342a14a83c7eb33dd3a687a14f0b436d2a2f6e6a0910660d479d0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\63873317.exe
Filesize
299KB

MD5
17b4437723325d8990ee7c4efd8bd4dd

SHA1
02f529996088617f163c36db82ea86ed733b8667

SHA256
a83c31d63c73ec6c152d21dc2a2bf7fc025148780292caae31e4929573ce285f

SHA512
930370ecf5601e8210b53a8962c93ec85342a3da405d2e1db84080c0bf78b730b6f6a743477950aaca0cb7dec8c6e7f855e787074f8aa4e6bc768ecf50622ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\63873317.exe
Filesize
299KB

MD5
17b4437723325d8990ee7c4efd8bd4dd

SHA1
02f529996088617f163c36db82ea86ed733b8667

SHA256
a83c31d63c73ec6c152d21dc2a2bf7fc025148780292caae31e4929573ce285f

SHA512
930370ecf5601e8210b53a8962c93ec85342a3da405d2e1db84080c0bf78b730b6f6a743477950aaca0cb7dec8c6e7f855e787074f8aa4e6bc768ecf50622ecf

Download Submit
memory/2196-161-0x0000000004C60000-0x0000000005204000-memory.dmp

Filesize
5.6MB

Download
memory/2196-162-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-163-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-164-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-165-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-166-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-168-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-170-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-172-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-174-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-176-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-178-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-180-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-182-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-184-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-186-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-188-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-190-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-192-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-194-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-196-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-198-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-200-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-202-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-204-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-206-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-208-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-210-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-212-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-214-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-216-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-218-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-220-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-222-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-224-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-226-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-228-0x0000000004B10000-0x0000000004B61000-memory.dmp

Filesize
324KB

Download
memory/2196-2293-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-2294-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-2295-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-2296-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/2196-2297-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing