a963e7fae47ff5c70a6b2c0133e68a91615dc71a5aa4f57f49789f5b3171ebb9

General

Target

file.exe
Size

1.0MB
MD5

98b057ab17be43567ba08f43cdba27e7
SHA1

bcea70e6b1f87d7fca5f332cc6e8cbdb3035cfb5
SHA256

a963e7fae47ff5c70a6b2c0133e68a91615dc71a5aa4f57f49789f5b3171ebb9
SHA512

d16d79e32d02673d7d7b3c55fa2ffac8ef17aafef664e9fd366faa71ab4678936e46adf57bf8671723445b830fa328a3d26667ec945c1c17c8bb5f60038e1768
SSDEEP

24576:yyKFgbYYVKsTEQ9LIBbW4HdjpgOv22TVNfGsYvQb/IqU:ZKeBKgXIBbtHe2TjfMvIIq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4284	qb8Hk88.exe
3136	Rt1jp64.exe
4704	cz4eH46.exe
4660	1tC83HP1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qb8Hk88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Rt1jp64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cz4eH46.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4284	4360	file.exe	82
PID 4360 wrote to memory of 4284	4360	file.exe	82
PID 4360 wrote to memory of 4284	4360	file.exe	82
PID 4284 wrote to memory of 3136	4284	qb8Hk88.exe	83
PID 4284 wrote to memory of 3136	4284	qb8Hk88.exe	83
PID 4284 wrote to memory of 3136	4284	qb8Hk88.exe	83
PID 3136 wrote to memory of 4704	3136	Rt1jp64.exe	84
PID 3136 wrote to memory of 4704	3136	Rt1jp64.exe	84
PID 3136 wrote to memory of 4704	3136	Rt1jp64.exe	84
PID 4704 wrote to memory of 4660	4704	cz4eH46.exe	85
PID 4704 wrote to memory of 4660	4704	cz4eH46.exe	85
PID 4704 wrote to memory of 4660	4704	cz4eH46.exe	85

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qb8Hk88.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qb8Hk88.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt1jp64.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt1jp64.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cz4eH46.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cz4eH46.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tC83HP1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tC83HP1.exe
        5⤵
        Executes dropped EXE
        
        PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qb8Hk88.exe

Filesize
903KB

MD5
30f1adb1a20dbde7de866de5f73b7609

SHA1
4679f7fe886cc1cf64c4c927dad15a4aa1401cb6

SHA256
ead48dc20fccfb831bc8e0fff245943448ebcf7133e8ac836e4d3ec571f946b9

SHA512
47b15773a65d2b325f07e8cc8bc00fddb545b86aa42c31a2b9796b76cae048f168859561b0069e99faded071f1781bdd943d2d723ff8389070c4ceb90bf37f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qb8Hk88.exe

Filesize
903KB

MD5
30f1adb1a20dbde7de866de5f73b7609

SHA1
4679f7fe886cc1cf64c4c927dad15a4aa1401cb6

SHA256
ead48dc20fccfb831bc8e0fff245943448ebcf7133e8ac836e4d3ec571f946b9

SHA512
47b15773a65d2b325f07e8cc8bc00fddb545b86aa42c31a2b9796b76cae048f168859561b0069e99faded071f1781bdd943d2d723ff8389070c4ceb90bf37f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt1jp64.exe

Filesize
650KB

MD5
a880351f7456f2627783c8777aafd7f4

SHA1
cb5cbdf78fabef5bf3e39b24660367370b1f7544

SHA256
5c5cf5c1e6f688d6eb5bf39bf1818786397895fb64047af69b9dc19085b9e41c

SHA512
9f3c0285159e49f7664358a7eb9d40c3a6ce3644092386020d95635ded020b536321ba8a5c0a869ad48220a433beae223fd21e7045bbf078b8b9bd3e7ab35b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt1jp64.exe

Filesize
650KB

MD5
a880351f7456f2627783c8777aafd7f4

SHA1
cb5cbdf78fabef5bf3e39b24660367370b1f7544

SHA256
5c5cf5c1e6f688d6eb5bf39bf1818786397895fb64047af69b9dc19085b9e41c

SHA512
9f3c0285159e49f7664358a7eb9d40c3a6ce3644092386020d95635ded020b536321ba8a5c0a869ad48220a433beae223fd21e7045bbf078b8b9bd3e7ab35b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cz4eH46.exe

Filesize
451KB

MD5
a48852bb753bce6d622dea7a673c7c98

SHA1
f1911f701afbf399665a2bb965d354e05fc36203

SHA256
658e0743afa8565fb801a5bc85acc1fd0471217053bcd5ba481553e8bba814e8

SHA512
2bcb2e78e502b2f57fdfa31753658df87d46f52af53e910718a0799585d32187d1d143f501de6c9d1f7676d86f2dd81f951651fc57cf25fa6b808f19b87f0b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cz4eH46.exe

Filesize
451KB

MD5
a48852bb753bce6d622dea7a673c7c98

SHA1
f1911f701afbf399665a2bb965d354e05fc36203

SHA256
658e0743afa8565fb801a5bc85acc1fd0471217053bcd5ba481553e8bba814e8

SHA512
2bcb2e78e502b2f57fdfa31753658df87d46f52af53e910718a0799585d32187d1d143f501de6c9d1f7676d86f2dd81f951651fc57cf25fa6b808f19b87f0b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tC83HP1.exe

Filesize
201KB

MD5
a07f1de1c9774d5a490b599e98a87928

SHA1
2e89540d18db9fc57132372abad292db56697b22

SHA256
4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb

SHA512
9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tC83HP1.exe

Filesize
201KB

MD5
a07f1de1c9774d5a490b599e98a87928

SHA1
2e89540d18db9fc57132372abad292db56697b22

SHA256
4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb

SHA512
9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads