6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946

General

Target

6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
Size

599KB
MD5

f9c4f59cc3034acec0079ccc1f951de5
SHA1

307ded1af15fa207749141ac113e61cf54127867
SHA256

6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946
SHA512

7b872ef3ef9e77ec03f3badfc0ccda854985abf07aa50b1218f599426bd9502a468d78201b7a0fab5ecc211a09fd20da5d300720ad14c2445be0d4fd46466f52
SSDEEP

12288:RMrSy90XAKQcuXPSoX1IVSjo+PL2rdAoyTAFqyLVCaA:nybcuagas12rdAi4yJCaA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1896	y4153654.exe
616	k3040335.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
1896	y4153654.exe
1896	y4153654.exe
616	k3040335.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4153654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4153654.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1948 wrote to memory of 1896	1948	6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe	28
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29
PID 1896 wrote to memory of 616	1896	y4153654.exe	29

C:\Users\Admin\AppData\Local\Temp\6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe
"C:\Users\Admin\AppData\Local\Temp\6b574eaeec32a51c4dac2e7894427e00a19470f357215369c1545528c8659946.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe

Filesize
307KB

MD5
0cf32d7bfdc4cd051602a48d4bc0afd2

SHA1
1cc6dd89c0b437d5c15fcb014990ac53a2769b8f

SHA256
b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808

SHA512
fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe

Filesize
307KB

MD5
0cf32d7bfdc4cd051602a48d4bc0afd2

SHA1
1cc6dd89c0b437d5c15fcb014990ac53a2769b8f

SHA256
b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808

SHA512
fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe

Filesize
136KB

MD5
3b1bbea931ba12fb6b21ba5ac2b3bb49

SHA1
b467c8c888978b515513df42e2c510df6c1dfc70

SHA256
18a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d

SHA512
7ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe

Filesize
136KB

MD5
3b1bbea931ba12fb6b21ba5ac2b3bb49

SHA1
b467c8c888978b515513df42e2c510df6c1dfc70

SHA256
18a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d

SHA512
7ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe

Filesize
307KB

MD5
0cf32d7bfdc4cd051602a48d4bc0afd2

SHA1
1cc6dd89c0b437d5c15fcb014990ac53a2769b8f

SHA256
b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808

SHA512
fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4153654.exe

Filesize
307KB

MD5
0cf32d7bfdc4cd051602a48d4bc0afd2

SHA1
1cc6dd89c0b437d5c15fcb014990ac53a2769b8f

SHA256
b73d144854f0a6c067c0fd5a7fdc8033feb42d9e65a874913a81aa6e61eb9808

SHA512
fe0782218800e83b1ac89aab8680de09e8be7e817abc4865b10c5001134675fb5c2d00abbf7e3e80500e205a5fe90789901c8c493ce85fae91e7333fc2b7438f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe

Filesize
136KB

MD5
3b1bbea931ba12fb6b21ba5ac2b3bb49

SHA1
b467c8c888978b515513df42e2c510df6c1dfc70

SHA256
18a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d

SHA512
7ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3040335.exe

Filesize
136KB

MD5
3b1bbea931ba12fb6b21ba5ac2b3bb49

SHA1
b467c8c888978b515513df42e2c510df6c1dfc70

SHA256
18a5a4abccb59f7209784d821509200eece702db17c448b23834de9d95d0938d

SHA512
7ffb694a675c6975cbe1cdddd9fd005de62449ab5f032479610183e6fe3c22f4f74f7c21d6eb6cbc6e89069bf04906025d2b5b7e984769152d8b435811b9e358

Download Submit
memory/616-74-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/616-75-0x00000000070A0000-0x00000000070E0000-memory.dmp

Filesize
256KB

Download
memory/616-76-0x00000000070A0000-0x00000000070E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing