3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f

General

Target

3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Size

690KB
MD5

644b4cdb5f0abec98232d153692849b8
SHA1

884935cc25d6cee17caa6e4ad5fff0a8266990f7
SHA256

3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f
SHA512

8df55e0bfe9a6b84c7503f36a849b71ebd5850730f2f8dc6e52a86587cb7b928a6db3f1035ad4ed4b7f55a7bc7fa5017972ae104d1714ca8999946f9569a29c4
SSDEEP

12288:7y90S1y44DmrYDFMq6ed6U7ExQBBzZIJpjNxMSn7brL/rGX6U5Tv0s0x:7yc4RrYDp/57EMzZkjjM07b3/rGX6eTi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2704	un325942.exe
4536	41350789.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un325942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un325942.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	41350789.exe
4536	41350789.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	41350789.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2704	1384	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	80
PID 1384 wrote to memory of 2704	1384	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	80
PID 1384 wrote to memory of 2704	1384	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	80
PID 2704 wrote to memory of 4536	2704	un325942.exe	82
PID 2704 wrote to memory of 4536	2704	un325942.exe	82
PID 2704 wrote to memory of 4536	2704	un325942.exe	82

C:\Users\Admin\AppData\Local\Temp\3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
"C:\Users\Admin\AppData\Local\Temp\3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe

Filesize
536KB

MD5
8ebfb38433d1bee7ec9bc0c21de0e0c5

SHA1
6010922d7ebefe910f92ad3bfca63ff35de0dc89

SHA256
1c60ef70dec2dd0a17ccec26c2e92560d92431c0d763bf930d1acd6ac7aa6834

SHA512
b277f56954709bc466fba26bba1c39ca793b32228e4d005ec769fe66a7aaa588f0271c4f49ae675b75b7a2964f05136ab0ba727a9989557ef7e26508368581fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe

Filesize
536KB

MD5
8ebfb38433d1bee7ec9bc0c21de0e0c5

SHA1
6010922d7ebefe910f92ad3bfca63ff35de0dc89

SHA256
1c60ef70dec2dd0a17ccec26c2e92560d92431c0d763bf930d1acd6ac7aa6834

SHA512
b277f56954709bc466fba26bba1c39ca793b32228e4d005ec769fe66a7aaa588f0271c4f49ae675b75b7a2964f05136ab0ba727a9989557ef7e26508368581fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe

Filesize
259KB

MD5
9e2522aae3412dd4b18a4166243d7029

SHA1
826eaa7af9db24f30c872363467397088fbc0daf

SHA256
33054e9609688176741b402b79830535109ef3f76d7fe2cb53decbcb16fe2de9

SHA512
4aa5ad5dc059cf8e9bb04a610cfb2a3fecd404539c8a84dd7095ea5bec065d03d7e6e6f4c7691ec13d1f0c0765502f25dad5ed9c7a60f8880bdc192c58e36e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe

Filesize
259KB

MD5
9e2522aae3412dd4b18a4166243d7029

SHA1
826eaa7af9db24f30c872363467397088fbc0daf

SHA256
33054e9609688176741b402b79830535109ef3f76d7fe2cb53decbcb16fe2de9

SHA512
4aa5ad5dc059cf8e9bb04a610cfb2a3fecd404539c8a84dd7095ea5bec065d03d7e6e6f4c7691ec13d1f0c0765502f25dad5ed9c7a60f8880bdc192c58e36e0c

Download Submit
memory/4536-148-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/4536-149-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4536-151-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4536-154-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4536-155-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/4536-156-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-157-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-159-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-161-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-163-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-171-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-169-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-167-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-165-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-173-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-175-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-177-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-179-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-181-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-183-0x00000000024B0000-0x00000000024C3000-memory.dmp

Filesize
76KB

Download
memory/4536-184-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4536-185-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4536-187-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4536-188-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4536-189-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing