65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9

General

Target

65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Size

599KB
MD5

9fcf210a9e62502d2332c6cf658b50d5
SHA1

91ed85654df42d0f41c02cc344bac9f11c858f34
SHA256

65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9
SHA512

ebbb43549280464616956cfa60d1755deeaf0918c46f1023f7c8c0105b1362b267b9190cb49eabadf9f04618d14d8a21cdb2810ffedbadfb33ecdf916146774c
SSDEEP

12288:sMrSy90mYT6rZjgyo7HoX1Id3CWyEh62U2+6cWCLxCs88Zpg2FaUOZ/t:OymTmJyHgasPv2RwK2bO7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	y4520007.exe
636	k9594817.exe

Loads dropped DLL 4 IoCs

pid	Process
1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
1964	y4520007.exe
1964	y4520007.exe
636	k9594817.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4520007.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4520007.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1960 wrote to memory of 1964	1960	65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe	27
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28
PID 1964 wrote to memory of 636	1964	y4520007.exe	28

C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe
"C:\Users\Admin\AppData\Local\Temp\65e927b43ad5e5c9e01570c197da93530191b622d90abad16e486d69157942b9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4520007.exe

Filesize
307KB

MD5
e4d1ae8baed68e4158c2a0e0271241ae

SHA1
ab5d03a6d558323053b181e2934d841e594f9080

SHA256
b291cd810edaf2c15fc09d39fbbc0867cfc6b24f8a708ea13d26872b7ea1ebbb

SHA512
7e2400cc5d9f59840ea5b0f05c2559ec03f7f8d4809fc69a1cfa12b1d4dab46e88fdc3f857e36ffced6a6e87a1eeb905df008d52aea8b1c70b5e32a57365803a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9594817.exe

Filesize
137KB

MD5
3c86b66f6b7eb077a276399f63928dfb

SHA1
df370706189600c6e338fc5801dfa3e9dbe24ed4

SHA256
40d329b81431fe6b10aa348762c0cd94d500426f422f96a2e9999823e62ce367

SHA512
5d53ef8c1c08e45ddbad80571598faebbd17cadc6b86145ee03f734db482181ea913b953a8655abc4f39b75fd9c132a1e4d07cc7a3b2ba94e898f4195bc5d805

Download Submit
memory/636-74-0x0000000000FA0000-0x0000000000FC8000-memory.dmp

Filesize
160KB

Download
memory/636-75-0x00000000071B0000-0x00000000071F0000-memory.dmp

Filesize
256KB

Download
memory/636-76-0x00000000071B0000-0x00000000071F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing