39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68

General

Target

39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe
Size

599KB
MD5

5c51ba6f5b3ecd92ae58cd0f5d540c86
SHA1

5be06b0c94b97c193ee15d375925080cd034b166
SHA256

39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68
SHA512

397f33530d24b406e53b173b60ca45d6d736a4110e501a071e13436b068520122fad862da47fad7cdc909b2dc2d6ac505e6928c1a93c1055bfa1ffaee440112c
SSDEEP

12288:2Mr+y90Fz/rwKcSLHzSSUX8FClTpCoOPXsqpH/vEb5NoVuJbLYZfzXvoLPG99Y:syu3wGTSSwuOTp1OPXz5oNowmfTge9a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1636	y1897711.exe
1960	k5946007.exe

Loads dropped DLL 4 IoCs

pid	Process
868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe
1636	y1897711.exe
1636	y1897711.exe
1960	k5946007.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1897711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1897711.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 868 wrote to memory of 1636	868	39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe	28
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29
PID 1636 wrote to memory of 1960	1636	y1897711.exe	29

C:\Users\Admin\AppData\Local\Temp\39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe
"C:\Users\Admin\AppData\Local\Temp\39f9a702e63ee55ee32bb7e769876d08a0af106821f2ad016771d2048f0d9f68.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe

Filesize
307KB

MD5
7ff7b739031911d5c4fba0acbce631fd

SHA1
b5055af71894fe6e9f985333c830a3dbf6ad1dc0

SHA256
cc5b775dae68959d3fcf1e0bbaec601d5ee9158fd75c6af922821b42d3e75d97

SHA512
38e1ebe6fae38328d688059868360c0d66665fbbce835d25e51370f97ef96e62c605c7d373d4d0b98908e8cd7ac4aae13b8674c1992ca43b9819567a008dd057

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe

Filesize
307KB

MD5
7ff7b739031911d5c4fba0acbce631fd

SHA1
b5055af71894fe6e9f985333c830a3dbf6ad1dc0

SHA256
cc5b775dae68959d3fcf1e0bbaec601d5ee9158fd75c6af922821b42d3e75d97

SHA512
38e1ebe6fae38328d688059868360c0d66665fbbce835d25e51370f97ef96e62c605c7d373d4d0b98908e8cd7ac4aae13b8674c1992ca43b9819567a008dd057

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe

Filesize
136KB

MD5
9fcd35c3485c6b790f9cdfb223f24689

SHA1
9258aee61d521efe7aaf3bc5cd7204cc9167cb6c

SHA256
08d32d8a45a66b8e72a9bbead0e4eabea8189338942c3c7c09132d6ed16ae023

SHA512
107287e27f9bcb74906acc7e80941dee4e5a09150d9bacfbec2fa0c33d3b4c9f54b866f338d5cf0458237083e27c85cc329e796df752ab88c6af6f8e3c3894fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe

Filesize
136KB

MD5
9fcd35c3485c6b790f9cdfb223f24689

SHA1
9258aee61d521efe7aaf3bc5cd7204cc9167cb6c

SHA256
08d32d8a45a66b8e72a9bbead0e4eabea8189338942c3c7c09132d6ed16ae023

SHA512
107287e27f9bcb74906acc7e80941dee4e5a09150d9bacfbec2fa0c33d3b4c9f54b866f338d5cf0458237083e27c85cc329e796df752ab88c6af6f8e3c3894fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe

Filesize
307KB

MD5
7ff7b739031911d5c4fba0acbce631fd

SHA1
b5055af71894fe6e9f985333c830a3dbf6ad1dc0

SHA256
cc5b775dae68959d3fcf1e0bbaec601d5ee9158fd75c6af922821b42d3e75d97

SHA512
38e1ebe6fae38328d688059868360c0d66665fbbce835d25e51370f97ef96e62c605c7d373d4d0b98908e8cd7ac4aae13b8674c1992ca43b9819567a008dd057

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1897711.exe

Filesize
307KB

MD5
7ff7b739031911d5c4fba0acbce631fd

SHA1
b5055af71894fe6e9f985333c830a3dbf6ad1dc0

SHA256
cc5b775dae68959d3fcf1e0bbaec601d5ee9158fd75c6af922821b42d3e75d97

SHA512
38e1ebe6fae38328d688059868360c0d66665fbbce835d25e51370f97ef96e62c605c7d373d4d0b98908e8cd7ac4aae13b8674c1992ca43b9819567a008dd057

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe

Filesize
136KB

MD5
9fcd35c3485c6b790f9cdfb223f24689

SHA1
9258aee61d521efe7aaf3bc5cd7204cc9167cb6c

SHA256
08d32d8a45a66b8e72a9bbead0e4eabea8189338942c3c7c09132d6ed16ae023

SHA512
107287e27f9bcb74906acc7e80941dee4e5a09150d9bacfbec2fa0c33d3b4c9f54b866f338d5cf0458237083e27c85cc329e796df752ab88c6af6f8e3c3894fe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5946007.exe

Filesize
136KB

MD5
9fcd35c3485c6b790f9cdfb223f24689

SHA1
9258aee61d521efe7aaf3bc5cd7204cc9167cb6c

SHA256
08d32d8a45a66b8e72a9bbead0e4eabea8189338942c3c7c09132d6ed16ae023

SHA512
107287e27f9bcb74906acc7e80941dee4e5a09150d9bacfbec2fa0c33d3b4c9f54b866f338d5cf0458237083e27c85cc329e796df752ab88c6af6f8e3c3894fe

Download Submit
memory/1960-74-0x0000000000E40000-0x0000000000E68000-memory.dmp

Filesize
160KB

Download
memory/1960-75-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download
memory/1960-76-0x0000000007160000-0x00000000071A0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing