3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57

General

Target

3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe
Size

1.2MB
MD5

758c5b05b8e597367142da759db50321
SHA1

bf4b8f5f89027807c2f0df8a96f05542665a76d9
SHA256

3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57
SHA512

51be9af954146664b45cb27454b60eaef460fc4b0a5c2f7b9c5f30fa0f67a1a29ecd0bf1870ad83bed2c34cafa20071d317606e84c49870549eae944fcc83fdf
SSDEEP

24576:0youzBhnOtdRUUqgfPMGbPpX1OCEv0+fB1c5TkOa+8OWAXTHq8UT:DoIhnOtkU7PjbhX1OCEvzfOn8OWADH7U

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

z31370594.exez47995726.exez37179675.exes92181765.exe

pid process

1408 z31370594.exe
3992 z47995726.exe
2036 z37179675.exe
3780 s92181765.exe

pid	process
1408	z31370594.exe
3992	z47995726.exe
2036	z37179675.exe
3780	s92181765.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z47995726.exez37179675.exe3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exez31370594.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z47995726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z47995726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z37179675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z37179675.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z31370594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z31370594.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s92181765.exe

description pid process

Token: SeDebugPrivilege 3780 s92181765.exe

description	pid	process
Token: SeDebugPrivilege	3780	s92181765.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exez31370594.exez47995726.exez37179675.exe

description	pid	process	target process
PID 2488 wrote to memory of 1408	2488	3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe	z31370594.exe
PID 2488 wrote to memory of 1408	2488	3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe	z31370594.exe
PID 2488 wrote to memory of 1408	2488	3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe	z31370594.exe
PID 1408 wrote to memory of 3992	1408	z31370594.exe	z47995726.exe
PID 1408 wrote to memory of 3992	1408	z31370594.exe	z47995726.exe
PID 1408 wrote to memory of 3992	1408	z31370594.exe	z47995726.exe
PID 3992 wrote to memory of 2036	3992	z47995726.exe	z37179675.exe
PID 3992 wrote to memory of 2036	3992	z47995726.exe	z37179675.exe
PID 3992 wrote to memory of 2036	3992	z47995726.exe	z37179675.exe
PID 2036 wrote to memory of 3780	2036	z37179675.exe	s92181765.exe
PID 2036 wrote to memory of 3780	2036	z37179675.exe	s92181765.exe
PID 2036 wrote to memory of 3780	2036	z37179675.exe	s92181765.exe

C:\Users\Admin\AppData\Local\Temp\3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe
"C:\Users\Admin\AppData\Local\Temp\3e21b24b5d323d15e2d70724fd6174ec36bad6496816ce3bb0a3d5233d79ab57.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z31370594.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z31370594.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z47995726.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z47995726.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37179675.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37179675.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92181765.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92181765.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z31370594.exe
Filesize
1.0MB

MD5
c52fde566db248b74323e583beca8f20

SHA1
9e530bebb9c0832ee11c5da7b03a034b7e3607e9

SHA256
e20027566a9cc13d369cf2f45590f6fe4419c8b7be8c0d4261eb1fd54bda5ffe

SHA512
9289729d00f8553efaefdeb00649400bb1521f161fb96821c18318b17e74e92239a3fd75f4f5669ec69d0754fe9cea319fc61fe5d9a0dce6b895381dd7f48a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z31370594.exe
Filesize
1.0MB

MD5
c52fde566db248b74323e583beca8f20

SHA1
9e530bebb9c0832ee11c5da7b03a034b7e3607e9

SHA256
e20027566a9cc13d369cf2f45590f6fe4419c8b7be8c0d4261eb1fd54bda5ffe

SHA512
9289729d00f8553efaefdeb00649400bb1521f161fb96821c18318b17e74e92239a3fd75f4f5669ec69d0754fe9cea319fc61fe5d9a0dce6b895381dd7f48a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z47995726.exe
Filesize
753KB

MD5
99eb72044a3be20683d961bbd7b94290

SHA1
e4d181899ea765c8ff55158c6e616b989ef483a4

SHA256
00fc69758c678767060b565837859070cb685d83aea606606d72342180524475

SHA512
5d2a93eb7d45ecd75f6051b91616d2a319f1b3d8529c2cf0357fc66b5c8fe096306db67ef41aa6a6a6f6a4448910e11b4e37fabfe9faa3abf70cd9f80e393581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z47995726.exe
Filesize
753KB

MD5
99eb72044a3be20683d961bbd7b94290

SHA1
e4d181899ea765c8ff55158c6e616b989ef483a4

SHA256
00fc69758c678767060b565837859070cb685d83aea606606d72342180524475

SHA512
5d2a93eb7d45ecd75f6051b91616d2a319f1b3d8529c2cf0357fc66b5c8fe096306db67ef41aa6a6a6f6a4448910e11b4e37fabfe9faa3abf70cd9f80e393581

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37179675.exe
Filesize
570KB

MD5
0838c9804bed9058f5735215cc3c0259

SHA1
0f803c176a152a4f607df4a3708aee98b3a00d6c

SHA256
fe4eb95b8c0d1879169cf4d267f73631c867908a7a6b37b95119fc8bde44ce52

SHA512
ab7e0386948f48a5b81f928b2f964271f3e75495cccf114f6e6134be6d0ebd54522a57cf51b4e440659666e30e9b512f0b0a451e4a153498381fc3351cb9e389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z37179675.exe
Filesize
570KB

MD5
0838c9804bed9058f5735215cc3c0259

SHA1
0f803c176a152a4f607df4a3708aee98b3a00d6c

SHA256
fe4eb95b8c0d1879169cf4d267f73631c867908a7a6b37b95119fc8bde44ce52

SHA512
ab7e0386948f48a5b81f928b2f964271f3e75495cccf114f6e6134be6d0ebd54522a57cf51b4e440659666e30e9b512f0b0a451e4a153498381fc3351cb9e389

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92181765.exe
Filesize
488KB

MD5
c4d41930fe4269e50f4ed13a8e2225f6

SHA1
f962123b95c70363ebff906de15d9e5fce54cb65

SHA256
308de59825f1b17194fbf8700f6f0b9f14d05b9bcd838e203e6045343cd1fccf

SHA512
6ea88a8787a10701d78cce92f8540c9ddbeec6ea75e43297d55eab28facf5da749964340bfe8444f0e4e72f3a06e44119f95282c65a0f43c5ed264d23581583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s92181765.exe
Filesize
488KB

MD5
c4d41930fe4269e50f4ed13a8e2225f6

SHA1
f962123b95c70363ebff906de15d9e5fce54cb65

SHA256
308de59825f1b17194fbf8700f6f0b9f14d05b9bcd838e203e6045343cd1fccf

SHA512
6ea88a8787a10701d78cce92f8540c9ddbeec6ea75e43297d55eab28facf5da749964340bfe8444f0e4e72f3a06e44119f95282c65a0f43c5ed264d23581583a

Download Submit
memory/3780-162-0x00000000008F0000-0x000000000094B000-memory.dmp

Filesize
364KB

Download
memory/3780-163-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/3780-164-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-165-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-166-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-167-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/3780-169-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-170-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-171-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/3780-173-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-176-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-178-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-180-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-174-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-182-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-184-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-186-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-188-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-190-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-192-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-194-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-196-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-198-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-200-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-202-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-204-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-206-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-208-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-210-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-212-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-214-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-216-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-218-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-220-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-222-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-224-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-226-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-228-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-230-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download
memory/3780-232-0x0000000005540000-0x00000000055A0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing