29ca825cf8bcf95d6fbd998f2c28cea0f990add70242f06f1421fa92316411ee

General

Target

dummy.bin.exe
Size

2.5MB
MD5

65e17ed13f100252e776030ed3965fd5
SHA1

1a67346291bbf8bd4826cf8929ab74f2ab21c39b
SHA256

29ca825cf8bcf95d6fbd998f2c28cea0f990add70242f06f1421fa92316411ee
SHA512

6b096b195dc31298f5c495c188611ae94bbff7319cf1dedf25fec3260349b8f441983c9669669027f46020f58a2236d3435cd098abc5c69e38f713acc8f4767f
SSDEEP

49152:Qn8uewL1WSGpm8IgKSYXfnE0cVKrQvl0eMdkLyGsAdm+ADQz3DYj:7/hG3tE00KC0tkLyGl7AcDDE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2292	fkxyeofqgyi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dummy.bin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4376	2292	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2292	fkxyeofqgyi.exe
2292	fkxyeofqgyi.exe
2292	fkxyeofqgyi.exe
2292	fkxyeofqgyi.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 4996	3884	dummy.bin.exe	83
PID 3884 wrote to memory of 4996	3884	dummy.bin.exe	83
PID 3884 wrote to memory of 4996	3884	dummy.bin.exe	83
PID 4996 wrote to memory of 2292	4996	cmd.exe	86
PID 4996 wrote to memory of 2292	4996	cmd.exe	86
PID 4996 wrote to memory of 2292	4996	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\dummy.bin.exe
"C:\Users\Admin\AppData\Local\Temp\dummy.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /d /c bddveik.bat 3043336449
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkxyeofqgyi.exe
    fkxyeofqgyi.exe llmoqqgyde.dat 3043336449
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1280
      4⤵
      Program crash
      PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2292 -ip 2292
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bddveik.bat

Filesize
139B

MD5
6d473c3e20621625bfdea4f5199dca47

SHA1
c4d12b1aeec0bc2d30e3fccff4db43316697c235

SHA256
9471151eed557047dab8eeb4c4bc5b8fb582a5e1c321c84e0186fbc04d68debb

SHA512
331ae811591a7345fbe6d58bbaa9bb22876a3a336a41c9a36a67f1473fd53e80e0f480dde9294e615e1865856f4b8c358c84edc065a873b36f6723a9438f96af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ejxoaibau.dat

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ejxoaibau.dat.1

Filesize
3B

MD5
158b365b9eedcfaf539f5dedfd82ee97

SHA1
529f5d61ac99f60a8e473368eff1b32095a3e2bf

SHA256
39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90

SHA512
a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ejxoaibau.dat.2

Filesize
33B

MD5
500ba63e2664798939744b8a8c9be982

SHA1
54743a77e4186cb327b803efb1ef5b3d4ac163ce

SHA256
4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba

SHA512
9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ejxoaibau.dat.3

Filesize
5.2MB

MD5
a452946137958e0cee844310f9e9fa7c

SHA1
8cf21ae4d1d764154048a02fb49412ef94094485

SHA256
088a5d04f2f6d6820bf1a6a390d9c0e00f88896c932848f0c97912b861479bb9

SHA512
ef3759e134c9b0eaaf300a57d335131faa91337497f572ef7eb1058e498a071d1741a6e0947ca9e95fe92b1ca163814ce6d1d706ad5ab010d47d18038b26beaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkxyeofqgyi.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fkxyeofqgyi.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\llmoqqgyde.dat

Filesize
936KB

MD5
59d39fabbb300e7f0e7630bfec8fad18

SHA1
74b61452ee9134b56a269635d1a469e8902b509a

SHA256
47c095775b069a75d938a6f71e6496b8e1557c416bfdb6d90792df17dcfb80c0

SHA512
008e47c31f8bc9c41365734c902146b6f58352c463c02b221a70226eff8593a3db6d24691337c7e0ca83d5063b2e24fedb3190bd770fd01ae2df01c6b50e6d98

Download Submit
memory/2292-23-0x000000002C000000-0x000000002C001000-memory.dmp

Filesize
4KB

Download
memory/2292-24-0x000000000C400000-0x000000000C401000-memory.dmp

Filesize
4KB

Download
memory/2292-25-0x0000000025200000-0x0000000025201000-memory.dmp

Filesize
4KB

Download
memory/2292-28-0x000000003FF00000-0x000000003FF01000-memory.dmp

Filesize
4KB

Download
memory/2292-27-0x000000002F900000-0x000000002F901000-memory.dmp

Filesize
4KB

Download
memory/2292-26-0x000000000D800000-0x000000000D801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads