3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194

General

Target

3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
Size

600KB
MD5

7f879c5078f21fe470e3aae4f7a242c8
SHA1

d6be024f66129ce6eb455874776d2a4b87c5ad3c
SHA256

3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194
SHA512

cdd89a235aa898187f10c1b8f1cf357623d5d1930f8d777d318cfa9e8cbc2ab26afb6663e47d7685b10863546a1a0e85aea2920fdd9892ce383d9c79178a1a36
SSDEEP

12288:rMruy90ZAhzXWg0ywSav9BGEZqj1u90Helkn/pFh/JRS21JVUVZo:ZyD0yGVEEZqhe0HeOn/p3/TD1J2no

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1752	y6502237.exe
988	k1062174.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
1752	y6502237.exe
1752	y6502237.exe
988	k1062174.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6502237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6502237.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 2028 wrote to memory of 1752	2028	3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe	28
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29
PID 1752 wrote to memory of 988	1752	y6502237.exe	29

C:\Users\Admin\AppData\Local\Temp\3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe
"C:\Users\Admin\AppData\Local\Temp\3104452519098577043aa6b07ce22cd41447a3807c96f2037090185ae62bf194.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6502237.exe

Filesize
307KB

MD5
4739e13004ceb6ed5976a1e12d2c7b48

SHA1
8e20e6e29d8f1b5d6dde4f04fa225b7a08ff506c

SHA256
63ddbc3615fbd9f5c65d98aec255ecc0f636258db9e11e07a8b5485d7ef95a59

SHA512
29094d961269003932211586d705aac5c86f665c6e734a562da7873a98b2343d7938fcda8ecb6ff0690f453c58c464c283a0946364f188b1fcf356607fecb9d3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1062174.exe

Filesize
136KB

MD5
c2d4dd7877b80ec0e2cd76dfe12c7fe7

SHA1
78bd3110d1a3be940a4df9b71748242e3b46b310

SHA256
870df0572b5ed6417e9a7b8e39781812e1e6eebe6dc4463b85cc8679edf0cdf2

SHA512
7934a46507497bc59109c0a3c55e4a40acb82b7818448fe4b7248781ed32aecdb3795d52298ffa196ae287b2bc24f5ac653cb37338deb640b32b7e636e662693

Download Submit
memory/988-74-0x0000000000C10000-0x0000000000C38000-memory.dmp

Filesize
160KB

Download
memory/988-75-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download
memory/988-76-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing