26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727

General

Target

26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
Size

479KB
MD5

0f4968d2050bbc9331fa951525a60178
SHA1

8f4cc098762d7a1695474b794990642bdb097152
SHA256

26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727
SHA512

1fed6cfe88f8275d21e7703a5f59f5081a718b5b2055f4235b6dad2f101a4f78dc626307d12b087d185451a9fdde3f3ccdb43e03bb773e459f70fe2b265075fc
SSDEEP

12288:GMrCy90MWLI7BWf2Hbgq3t1VpjTlmS++8OatQ6g:4yYctWObXVpjpT8/Q6g

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
920	x3296379.exe
292	g4306620.exe

Loads dropped DLL 4 IoCs

pid	Process
1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
920	x3296379.exe
920	x3296379.exe
292	g4306620.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3296379.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3296379.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 1720 wrote to memory of 920	1720	26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe	28
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29
PID 920 wrote to memory of 292	920	x3296379.exe	29

C:\Users\Admin\AppData\Local\Temp\26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe
"C:\Users\Admin\AppData\Local\Temp\26864964585c14526e69c59305b466d5b7ebd9470d5a8e33470ef8b37d1b7727.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe

Filesize
307KB

MD5
c290747cfc29254b6b3492fe93dcf475

SHA1
d051d328e6dbd8b62e7b4c787dcc1938625384ab

SHA256
9756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b

SHA512
51a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe

Filesize
307KB

MD5
c290747cfc29254b6b3492fe93dcf475

SHA1
d051d328e6dbd8b62e7b4c787dcc1938625384ab

SHA256
9756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b

SHA512
51a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe

Filesize
136KB

MD5
69a10e80a9a548be02ffdb15be0719aa

SHA1
8787c7582038886f9cb2f8b488fffe976e94f4b1

SHA256
48c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4

SHA512
a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe

Filesize
136KB

MD5
69a10e80a9a548be02ffdb15be0719aa

SHA1
8787c7582038886f9cb2f8b488fffe976e94f4b1

SHA256
48c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4

SHA512
a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe

Filesize
307KB

MD5
c290747cfc29254b6b3492fe93dcf475

SHA1
d051d328e6dbd8b62e7b4c787dcc1938625384ab

SHA256
9756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b

SHA512
51a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3296379.exe

Filesize
307KB

MD5
c290747cfc29254b6b3492fe93dcf475

SHA1
d051d328e6dbd8b62e7b4c787dcc1938625384ab

SHA256
9756f72a435ba9761a1e30e751437e48010cd78a59ae236130225da80dbf459b

SHA512
51a0bfe04032c4546b1e7fe7e30347b781d61bb8f3091eef2cb3ac093fcb3d3462aa9f717de126471f900b003ca82f63f8480e31ab61a5310ee751dfffc85381

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe

Filesize
136KB

MD5
69a10e80a9a548be02ffdb15be0719aa

SHA1
8787c7582038886f9cb2f8b488fffe976e94f4b1

SHA256
48c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4

SHA512
a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4306620.exe

Filesize
136KB

MD5
69a10e80a9a548be02ffdb15be0719aa

SHA1
8787c7582038886f9cb2f8b488fffe976e94f4b1

SHA256
48c5322b8e73d8f692ce2a8f47e19b51572eda7530f52b58c1fc6fdb9b99f1e4

SHA512
a8e902c1ec64bed23b004e46709b1d141ea47fbce9ef61cc592747ca7aee87a1a5d1c1e0ce9d1a2b0125861f5085a7d8fcedd147aaefb1efbb2d72b724eaa959

Download Submit
memory/292-74-0x00000000000D0000-0x00000000000F8000-memory.dmp

Filesize
160KB

Download
memory/292-75-0x0000000007280000-0x00000000072C0000-memory.dmp

Filesize
256KB

Download
memory/292-76-0x0000000007280000-0x00000000072C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing