2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157

General

Target

2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
Size

599KB
MD5

579ba1c8fe2dafba83ffe2aba5f6a07d
SHA1

35ef464b64c6e0c2bc97d619fd9a1e54dde2c33e
SHA256

2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157
SHA512

5ac8a105b59d188a6b33402782595a47df3f1a17385abaa9f3e5bd8c2f64751663609980625184a7e333522dbe1a0c9ba551c0262709882aa634699097c5086d
SSDEEP

12288:xMrey906Emu9BKLLbroX1IDDToyXIi6a9YEGeSduYyz:fydoBaga9XJx+/eSduYa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
300	y0052950.exe
1868	k8932178.exe

Loads dropped DLL 4 IoCs

pid	Process
2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
300	y0052950.exe
300	y0052950.exe
1868	k8932178.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0052950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0052950.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 2000 wrote to memory of 300	2000	2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe	28
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29
PID 300 wrote to memory of 1868	300	y0052950.exe	29

C:\Users\Admin\AppData\Local\Temp\2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe
"C:\Users\Admin\AppData\Local\Temp\2e2f7a5b58169c1ad43eefe702d631583eff8ef4f3692ca190c867e115de1157.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0052950.exe

Filesize
307KB

MD5
10f05a531c697fd3fc57c14fbcdca498

SHA1
30ef526e424157a6bead127b5c3eda60ce7683d0

SHA256
6f0525e710b1ae50ecbbe11e07efc75586ba6c3599faca401b6b43d8ebbedac9

SHA512
d03dece36bc0021ed76ba6c53c199006f634ad0b84c695b56e55856f1e0912f7391c7f8e2c2b205a1585ff69075b42f8ebd8723a3a57497523ed534cdd3a2d49

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8932178.exe

Filesize
136KB

MD5
1dd5f288f46e1dc1964b5b595c31d6b3

SHA1
5fa9eda2c2eed89dd7edb694cf298cdde03f5984

SHA256
3aa79ff6bc819242ae7eadbcfcce9c276c4b8cfb7c64d579b21dac86ec51d62d

SHA512
4f939bf8f82120b584da7ee4dc8d515d4f5c7748d5daf542a6e62c1274b517aeca0e80e14039209501c08e26bd37f2a26fedaf10a4502ef3321d020023ad28df

Download Submit
memory/1868-74-0x0000000001280000-0x00000000012A8000-memory.dmp

Filesize
160KB

Download
memory/1868-75-0x00000000070A0000-0x00000000070E0000-memory.dmp

Filesize
256KB

Download
memory/1868-76-0x00000000070A0000-0x00000000070E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing