4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe

General

Target

4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Size

479KB
MD5

a7197f87435b55aed36005c1d7a44054
SHA1

35673ff66b6ea4c9057a9e56d838511d29d2845e
SHA256

4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe
SHA512

28a22752459740b48ead8ccb06160a525d1b4700edfb945c34ad0efd1202f495b76ede88e8139cc769decd425bf4cace41a3da7516c1a432c8a2181b0849abe0
SSDEEP

12288:nMrxy90FOgdm8vDKJgGZKVBPmGn88bwZpf30kpd:qyrWCVZUhS8c/30gd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	x5782298.exe
1476	g2913555.exe

Loads dropped DLL 4 IoCs

pid	Process
1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
1744	x5782298.exe
1744	x5782298.exe
1476	g2913555.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x5782298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5782298.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1204 wrote to memory of 1744	1204	4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe	28
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29
PID 1744 wrote to memory of 1476	1744	x5782298.exe	29

C:\Users\Admin\AppData\Local\Temp\4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe
"C:\Users\Admin\AppData\Local\Temp\4f6a0ddfcb845de6b8486b0134b48e65ccfbc10ef394862baa6c4147e41f3bbe.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5782298.exe

Filesize
308KB

MD5
c11417d0f2ae2e687434d7a8299428a0

SHA1
5e79129836d34a887322964f23d82f01f221d02e

SHA256
780ce1a07fc44af73bb29df7e5fefdb032a038811f93b3f0139a487242273af3

SHA512
c198bf6dfb7d890f1575fd60ed7e702f6bb452f8a06d87332a931a9dafb7893bdde2cc6d593aa605ba00cad72b80ace55e78c7a6ab99edd89e7a7baad47e17e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g2913555.exe

Filesize
136KB

MD5
4b2e594eefb2a3e883b2db4fae05f3b6

SHA1
2dd0cc22701588ff040fdba5ae91ac0044cf1e44

SHA256
975ec8b091898fff325c1d7ed26a13198985750592ec50e96d76d4d0ef12ce82

SHA512
c20665dbb80f63d0a62a8a29766d3492574234ee7c363beaae81bea3c46388b65435f8f98ce6cc5d723234369da05f2300b2ccc09fbded294f0cd4177778070b

Download Submit
memory/1476-74-0x0000000001360000-0x0000000001388000-memory.dmp

Filesize
160KB

Download
memory/1476-75-0x0000000006FD0000-0x0000000007010000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing