d213d41eec83394b49776b106eed246b7f7b8a460e195355122c2ed15df4de42

General

Target

14f0e069ed91dc3fb0ae9346321c4339.exe
Size

376KB
MD5

14f0e069ed91dc3fb0ae9346321c4339
SHA1

371e99aae41a83b844601f3d6b1c9d0fef81096a
SHA256

d213d41eec83394b49776b106eed246b7f7b8a460e195355122c2ed15df4de42
SHA512

938d261e3f368888ad85c339981e564de83aa138210a622db052e3f569d7fa3c4d2e8382796b63a1fa36e0b61054c91ed8294c14ed20259eadc0cd2c4401e3be
SSDEEP

6144:KCy+bnr+Vp0yN90QEsV3PthxfuUJNMk/+leNXZmO8HJshOsY59ks:OMr1y90+tvxpy0+lUXaDsYvks

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1528	x7909358.exe
792	g5876315.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	14f0e069ed91dc3fb0ae9346321c4339.exe
1528	x7909358.exe
1528	x7909358.exe
792	g5876315.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7909358.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14f0e069ed91dc3fb0ae9346321c4339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14f0e069ed91dc3fb0ae9346321c4339.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7909358.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1700 wrote to memory of 1528	1700	14f0e069ed91dc3fb0ae9346321c4339.exe	28
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29
PID 1528 wrote to memory of 792	1528	x7909358.exe	29

C:\Users\Admin\AppData\Local\Temp\14f0e069ed91dc3fb0ae9346321c4339.exe
"C:\Users\Admin\AppData\Local\Temp\14f0e069ed91dc3fb0ae9346321c4339.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/792-74-0x0000000000200000-0x0000000000228000-memory.dmp

Filesize
160KB

Download
memory/792-75-0x0000000007240000-0x0000000007280000-memory.dmp

Filesize
256KB

Download
memory/792-76-0x0000000007240000-0x0000000007280000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing