21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

General

Target

21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe
Size

9.4MB
MD5

718d69c7e8baa9b2fea5078ac9adf6b7
SHA1

b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75
SHA256

21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936
SHA512

ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515
SSDEEP

196608:ZeduW/gMzIXjpjzoc1fln3yenGNSZO8WD5UW:jWou0jtzoc1tn3yenG4g8s5UW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe

Loads dropped DLL 1 IoCs

pid	Process
2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2336	powershell.exe
1044	powershell.exe
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2336	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	28
PID 2096 wrote to memory of 2336	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	28
PID 2096 wrote to memory of 2336	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	28
PID 2096 wrote to memory of 2336	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	28
PID 2096 wrote to memory of 2872	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	32
PID 2096 wrote to memory of 2872	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	32
PID 2096 wrote to memory of 2872	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	32
PID 2096 wrote to memory of 2872	2096	21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe	32
PID 2872 wrote to memory of 2284	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	33
PID 2872 wrote to memory of 2284	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	33
PID 2872 wrote to memory of 2284	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	33
PID 2872 wrote to memory of 2284	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	33
PID 2872 wrote to memory of 2276	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	35
PID 2872 wrote to memory of 2276	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	35
PID 2872 wrote to memory of 2276	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	35
PID 2872 wrote to memory of 2276	2872	fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe	35
PID 2276 wrote to memory of 756	2276	cmd.exe	37
PID 2276 wrote to memory of 756	2276	cmd.exe	37
PID 2276 wrote to memory of 756	2276	cmd.exe	37
PID 2276 wrote to memory of 756	2276	cmd.exe	37
PID 756 wrote to memory of 1044	756	cmd.exe	38
PID 756 wrote to memory of 1044	756	cmd.exe	38
PID 756 wrote to memory of 1044	756	cmd.exe	38
PID 756 wrote to memory of 1044	756	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe
"C:\Users\Admin\AppData\Local\Temp\21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe
  "C:\Users\Admin\AppData\Local\Temp\fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup dfslkdjfklhjsrhfgauiehruifghai
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < 5
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5

Filesize
12KB

MD5
05bb413f5ba120b0c746740c17c97fa2

SHA1
61716e2c9f375bfb9da6c36222890717eef4293e

SHA256
11cafc97516f7451af19bb5aa550003c28416580928b7f9abe430d743a1ed610

SHA512
133ca8be7349bac492476cc7cd9acbb6acde49cab191f07c6d7243e60ff0aac1ee81873d373075998765080068a149530ecc885610db25c6ba122f9e6e504518

Download Submit
C:\Users\Admin\AppData\Local\Temp\fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ED7ZH1R2G4KRTXGBAIDU.temp

Filesize
7KB

MD5
5d143f649d512caafd62bb2529fd39f4

SHA1
c5eb0bdfb7c6019611727401d43da576763e24d6

SHA256
a368655b0207e85ab7f2efc875fca23b21f4e9eb805d098e9d74f99dd06f6ff8

SHA512
3042a5b24816ac7e4491ec108318402a268f91c1cb896304605947ce3839d7fbd573fd53bcda021d05d281975676c7a7d16db1d02b73fe56e146da29821eea86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5d143f649d512caafd62bb2529fd39f4

SHA1
c5eb0bdfb7c6019611727401d43da576763e24d6

SHA256
a368655b0207e85ab7f2efc875fca23b21f4e9eb805d098e9d74f99dd06f6ff8

SHA512
3042a5b24816ac7e4491ec108318402a268f91c1cb896304605947ce3839d7fbd573fd53bcda021d05d281975676c7a7d16db1d02b73fe56e146da29821eea86

Download Submit
\Users\Admin\AppData\Local\Temp\fae64d7b-f774-411b-8dfc-51a5c6ba8440.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
memory/1044-94-0x00000000734E0000-0x0000000073A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-98-0x00000000734E0000-0x0000000073A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-97-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1044-96-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/1044-95-0x00000000734E0000-0x0000000073A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-54-0x0000000000830000-0x0000000001199000-memory.dmp

Filesize
9.4MB

Download
memory/2096-62-0x0000000000830000-0x0000000001199000-memory.dmp

Filesize
9.4MB

Download
memory/2096-113-0x0000000000830000-0x0000000001199000-memory.dmp

Filesize
9.4MB

Download
memory/2336-60-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2336-61-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-57-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-59-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2336-58-0x0000000073A90000-0x000000007403B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads