5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a

General

Target

5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
Size

479KB
MD5

f4cbc0adc6dac9c02101434fe9208dcd
SHA1

651338431eaa421a164ec448e56e694165667355
SHA256

5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a
SHA512

6d6eafbe69e19b995f75eb0f3a412c6adaca8350ca4d8d67075a74cc48a67303be6cb77086c34b2d3da44fdced797784ecd6b9397d9eefca0c27412232e41dc3
SSDEEP

12288:OMrSy90aro2G7B+8FRa0n9DkUvgusoysnwFOhci:Iy16F+8FRaC9kkJ9wFg1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
912	x6267625.exe
576	g7244565.exe

Loads dropped DLL 4 IoCs

pid	Process
2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
912	x6267625.exe
912	x6267625.exe
576	g7244565.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6267625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6267625.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 2024 wrote to memory of 912	2024	5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe	28
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29
PID 912 wrote to memory of 576	912	x6267625.exe	29

C:\Users\Admin\AppData\Local\Temp\5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe
"C:\Users\Admin\AppData\Local\Temp\5c6f0628f176ed4b48066604aabf404cebb2750943d3e56dd5548a9a5dcb493a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6267625.exe

Filesize
307KB

MD5
e3a3cf86a4fe6e60a3f2a7a3eb42c0a6

SHA1
ea1003e2d452f17165ffc57f7beff28a090d9672

SHA256
47214080d942ad45da462eb66a04f4371191e7248b512fdd9a3e416db243e16c

SHA512
64e7b9c1b8662038163b33b356fed9fdde806db7de4c865c67db89fe89560458c8e27d25c5065a5fb55209f166143916222730bf4bb9d057bc638c634bbe158e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7244565.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/576-74-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/576-75-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/576-76-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing