4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d

General

Target

4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe
Size

710KB
MD5

99b40772264c72e5f5f3d85d938d207f
SHA1

e51cea7844631710330d1bbc6052c7cf4f32ce90
SHA256

4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d
SHA512

49f61cb87343e2bed7e6c29c80b772dd96da0b231b35cbbfba4c520bba21e93c6acb5017b90eafb755427bb22e27a09840cb820a89ac8bc7a83e84c62606ed43
SSDEEP

12288:aMr1y90UWACGfbFvTtoxlqaQv4tPTICWjQim6xodJTxtGouiHKqyZblJ2oso:/yThGxE4tPdWjQT6AttGoui8fwo9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2024	x4762399.exe
1160	g4508456.exe

Loads dropped DLL 4 IoCs

pid	Process
1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe
2024	x4762399.exe
2024	x4762399.exe
1160	g4508456.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4762399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4762399.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 1268 wrote to memory of 2024	1268	4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe	26
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27
PID 2024 wrote to memory of 1160	2024	x4762399.exe	27

C:\Users\Admin\AppData\Local\Temp\4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe
"C:\Users\Admin\AppData\Local\Temp\4c9c4137c1b1921d422a3d0bf1eb7ba66b49c0aa34dc16ba426b671e0a72cf7d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe

Filesize
417KB

MD5
244da7d9330990df1553d88f235e4bda

SHA1
e36913cd71389a83d98311eb9c27842cbdd201ad

SHA256
093184106cc9fd7648878dde2c4d1e34b7d708752b384958c05e69e89fa57172

SHA512
1e4667e46f22bc7c1261177683530f76c203c6202a5460aa1189739333d09b245baf456fcacc2612c591e193f0afe73d344d6e0ac12c1cd9e2d14dc89074fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe

Filesize
417KB

MD5
244da7d9330990df1553d88f235e4bda

SHA1
e36913cd71389a83d98311eb9c27842cbdd201ad

SHA256
093184106cc9fd7648878dde2c4d1e34b7d708752b384958c05e69e89fa57172

SHA512
1e4667e46f22bc7c1261177683530f76c203c6202a5460aa1189739333d09b245baf456fcacc2612c591e193f0afe73d344d6e0ac12c1cd9e2d14dc89074fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe

Filesize
136KB

MD5
d182e542f5ab0a58cbc306ee9f47aa0c

SHA1
4d2e7bbd3c919a40aae16a7da1439da558f788aa

SHA256
337b8e5faae8fbb4c8bcbed4c1411b5a0fb0a92233e213a079dbf66dcf079249

SHA512
e0351b3540725cbe98bdad85d46f6cccd15198ac0933f5c059d82a2085ea6cf809fa9ee8cb002401b0eea61bc68fd8541c2ddc6e7da3f7456afb192674eb7f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe

Filesize
136KB

MD5
d182e542f5ab0a58cbc306ee9f47aa0c

SHA1
4d2e7bbd3c919a40aae16a7da1439da558f788aa

SHA256
337b8e5faae8fbb4c8bcbed4c1411b5a0fb0a92233e213a079dbf66dcf079249

SHA512
e0351b3540725cbe98bdad85d46f6cccd15198ac0933f5c059d82a2085ea6cf809fa9ee8cb002401b0eea61bc68fd8541c2ddc6e7da3f7456afb192674eb7f8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe

Filesize
417KB

MD5
244da7d9330990df1553d88f235e4bda

SHA1
e36913cd71389a83d98311eb9c27842cbdd201ad

SHA256
093184106cc9fd7648878dde2c4d1e34b7d708752b384958c05e69e89fa57172

SHA512
1e4667e46f22bc7c1261177683530f76c203c6202a5460aa1189739333d09b245baf456fcacc2612c591e193f0afe73d344d6e0ac12c1cd9e2d14dc89074fe20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4762399.exe

Filesize
417KB

MD5
244da7d9330990df1553d88f235e4bda

SHA1
e36913cd71389a83d98311eb9c27842cbdd201ad

SHA256
093184106cc9fd7648878dde2c4d1e34b7d708752b384958c05e69e89fa57172

SHA512
1e4667e46f22bc7c1261177683530f76c203c6202a5460aa1189739333d09b245baf456fcacc2612c591e193f0afe73d344d6e0ac12c1cd9e2d14dc89074fe20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe

Filesize
136KB

MD5
d182e542f5ab0a58cbc306ee9f47aa0c

SHA1
4d2e7bbd3c919a40aae16a7da1439da558f788aa

SHA256
337b8e5faae8fbb4c8bcbed4c1411b5a0fb0a92233e213a079dbf66dcf079249

SHA512
e0351b3540725cbe98bdad85d46f6cccd15198ac0933f5c059d82a2085ea6cf809fa9ee8cb002401b0eea61bc68fd8541c2ddc6e7da3f7456afb192674eb7f8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4508456.exe

Filesize
136KB

MD5
d182e542f5ab0a58cbc306ee9f47aa0c

SHA1
4d2e7bbd3c919a40aae16a7da1439da558f788aa

SHA256
337b8e5faae8fbb4c8bcbed4c1411b5a0fb0a92233e213a079dbf66dcf079249

SHA512
e0351b3540725cbe98bdad85d46f6cccd15198ac0933f5c059d82a2085ea6cf809fa9ee8cb002401b0eea61bc68fd8541c2ddc6e7da3f7456afb192674eb7f8b

Download Submit
memory/1160-74-0x00000000010D0000-0x00000000010F8000-memory.dmp

Filesize
160KB

Download
memory/1160-75-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1160-76-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing