03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54

General

Target

03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe
Size

590KB
MD5

a36b0d621a003aa139cf1f479ded80dd
SHA1

a36ca2680b286434ef3220648c24ebd606170363
SHA256

03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54
SHA512

686001de570e2cd64913b4475abb2d830b24ef8f0121f5158b609366633c190bcb8b33683fe94bf3e71282243b5060985be99356906f75d95ce9394d645fff18
SSDEEP

12288:aMr3y90ooCaS3XR/yjzp0GGTawi+PU1nlVhG8LjI5S:tyGCBh/y3psTM0mGqjWS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1128	x2514080.exe
1696	g8366232.exe

Loads dropped DLL 4 IoCs

pid	Process
920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe
1128	x2514080.exe
1128	x2514080.exe
1696	g8366232.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2514080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2514080.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 920 wrote to memory of 1128	920	03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe	27
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28
PID 1128 wrote to memory of 1696	1128	x2514080.exe	28

C:\Users\Admin\AppData\Local\Temp\03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe
"C:\Users\Admin\AppData\Local\Temp\03a73f19aa95fc6e4f62d4f10e8d71f9105130ccfd744a7fd50dbc0d47255c54.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe

Filesize
417KB

MD5
5031bfb2407d4c9dcc5386c8efeb8c18

SHA1
dc3f1892860ca19f821e72b34a2c28ce476825f3

SHA256
68e56da1189f6a2e6cc3cbfea5d23ea9aa5cff6abe4c3fe99c2290c2c8e5ed4d

SHA512
895631e7a917eafc8333e32b94e651c27f28b2db75b229949c42dec634f7e8032b6c6648db1edd4d977d3f075f50abe83ab8f955e4c59f70425f61ba0e7b0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe

Filesize
417KB

MD5
5031bfb2407d4c9dcc5386c8efeb8c18

SHA1
dc3f1892860ca19f821e72b34a2c28ce476825f3

SHA256
68e56da1189f6a2e6cc3cbfea5d23ea9aa5cff6abe4c3fe99c2290c2c8e5ed4d

SHA512
895631e7a917eafc8333e32b94e651c27f28b2db75b229949c42dec634f7e8032b6c6648db1edd4d977d3f075f50abe83ab8f955e4c59f70425f61ba0e7b0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe

Filesize
136KB

MD5
f7bb9e130b8a87b03e9851ddcae626ea

SHA1
04c88d6a0eaff09e9cd494697b6cfcbb265b14a1

SHA256
0df9a50ff06e2cac63341e6dc87c533108a835dace1c6d8820b04622e5d8b945

SHA512
183a1569b36c659ae422f36bb020c18c4141af2a121a1e23bb6d2328fa42fa316624a70b1b762be9dffae3c848f50f98d4345f24bb80e8c0b7f2529abf070a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe

Filesize
136KB

MD5
f7bb9e130b8a87b03e9851ddcae626ea

SHA1
04c88d6a0eaff09e9cd494697b6cfcbb265b14a1

SHA256
0df9a50ff06e2cac63341e6dc87c533108a835dace1c6d8820b04622e5d8b945

SHA512
183a1569b36c659ae422f36bb020c18c4141af2a121a1e23bb6d2328fa42fa316624a70b1b762be9dffae3c848f50f98d4345f24bb80e8c0b7f2529abf070a23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe

Filesize
417KB

MD5
5031bfb2407d4c9dcc5386c8efeb8c18

SHA1
dc3f1892860ca19f821e72b34a2c28ce476825f3

SHA256
68e56da1189f6a2e6cc3cbfea5d23ea9aa5cff6abe4c3fe99c2290c2c8e5ed4d

SHA512
895631e7a917eafc8333e32b94e651c27f28b2db75b229949c42dec634f7e8032b6c6648db1edd4d977d3f075f50abe83ab8f955e4c59f70425f61ba0e7b0fd5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2514080.exe

Filesize
417KB

MD5
5031bfb2407d4c9dcc5386c8efeb8c18

SHA1
dc3f1892860ca19f821e72b34a2c28ce476825f3

SHA256
68e56da1189f6a2e6cc3cbfea5d23ea9aa5cff6abe4c3fe99c2290c2c8e5ed4d

SHA512
895631e7a917eafc8333e32b94e651c27f28b2db75b229949c42dec634f7e8032b6c6648db1edd4d977d3f075f50abe83ab8f955e4c59f70425f61ba0e7b0fd5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe

Filesize
136KB

MD5
f7bb9e130b8a87b03e9851ddcae626ea

SHA1
04c88d6a0eaff09e9cd494697b6cfcbb265b14a1

SHA256
0df9a50ff06e2cac63341e6dc87c533108a835dace1c6d8820b04622e5d8b945

SHA512
183a1569b36c659ae422f36bb020c18c4141af2a121a1e23bb6d2328fa42fa316624a70b1b762be9dffae3c848f50f98d4345f24bb80e8c0b7f2529abf070a23

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8366232.exe

Filesize
136KB

MD5
f7bb9e130b8a87b03e9851ddcae626ea

SHA1
04c88d6a0eaff09e9cd494697b6cfcbb265b14a1

SHA256
0df9a50ff06e2cac63341e6dc87c533108a835dace1c6d8820b04622e5d8b945

SHA512
183a1569b36c659ae422f36bb020c18c4141af2a121a1e23bb6d2328fa42fa316624a70b1b762be9dffae3c848f50f98d4345f24bb80e8c0b7f2529abf070a23

Download Submit
memory/1696-74-0x0000000000EE0000-0x0000000000F08000-memory.dmp

Filesize
160KB

Download
memory/1696-75-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download
memory/1696-76-0x00000000072C0000-0x0000000007300000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing