6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143

General

Target

6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe
Size

376KB
MD5

86ad5363b07a531e067e7e25de8649c3
SHA1

a06a63656ee4cac53bdb96b2c69290d14e78caa7
SHA256

6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143
SHA512

c79a94400167d9421e051a06f7270f9b8f019933aeab5953e6ced545c90140ba471ed1b53556b9d6ae13737f9d653d59d059dd02cda9748ce05b3a21a5143bae
SSDEEP

6144:Kcy+bnr+ip0yN90QEwjInOtgSjORlfqXWLdy2a0CRDAO8MHIaqIWn0UnZKL1Fp7T:0MrWy902j5tLZXMyIeD5Fen0UnM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1064	x0046453.exe
660	g1082125.exe

Loads dropped DLL 4 IoCs

pid	Process
840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe
1064	x0046453.exe
1064	x0046453.exe
660	g1082125.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0046453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0046453.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 840 wrote to memory of 1064	840	6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe	26
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27
PID 1064 wrote to memory of 660	1064	x0046453.exe	27

C:\Users\Admin\AppData\Local\Temp\6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe
"C:\Users\Admin\AppData\Local\Temp\6ee58be9c45d2dde9b0ed9cf3839a3b2b42b98aaac5b6f0b1d959102abea6143.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe

Filesize
204KB

MD5
85ee37c563b723dafe467d127b174036

SHA1
bceac5dbc4d7f34f3eb650b487143721ed76e619

SHA256
35e929f092fd8a1d1a23364c9b405f0fe9ee6c4f3cf78a05269472c2c930a1c2

SHA512
0a7c9506f847d27d215a03270764fd7427ef9803d57517d125996eeec1b157192c577744b2d1471c1102b89a2372763501494d616fa3026398409b6b46853ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe

Filesize
204KB

MD5
85ee37c563b723dafe467d127b174036

SHA1
bceac5dbc4d7f34f3eb650b487143721ed76e619

SHA256
35e929f092fd8a1d1a23364c9b405f0fe9ee6c4f3cf78a05269472c2c930a1c2

SHA512
0a7c9506f847d27d215a03270764fd7427ef9803d57517d125996eeec1b157192c577744b2d1471c1102b89a2372763501494d616fa3026398409b6b46853ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe

Filesize
204KB

MD5
85ee37c563b723dafe467d127b174036

SHA1
bceac5dbc4d7f34f3eb650b487143721ed76e619

SHA256
35e929f092fd8a1d1a23364c9b405f0fe9ee6c4f3cf78a05269472c2c930a1c2

SHA512
0a7c9506f847d27d215a03270764fd7427ef9803d57517d125996eeec1b157192c577744b2d1471c1102b89a2372763501494d616fa3026398409b6b46853ef4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0046453.exe

Filesize
204KB

MD5
85ee37c563b723dafe467d127b174036

SHA1
bceac5dbc4d7f34f3eb650b487143721ed76e619

SHA256
35e929f092fd8a1d1a23364c9b405f0fe9ee6c4f3cf78a05269472c2c930a1c2

SHA512
0a7c9506f847d27d215a03270764fd7427ef9803d57517d125996eeec1b157192c577744b2d1471c1102b89a2372763501494d616fa3026398409b6b46853ef4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1082125.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/660-74-0x0000000000F80000-0x0000000000FA8000-memory.dmp

Filesize
160KB

Download
memory/660-75-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/660-76-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing