df20de3a34c4b039313c34f4e6b5239c731caf6abbeab299c026650e31eaaba8

General

Target

34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
Size

3.3MB
MD5

f96e3442a8699d9014a31091484b44d4
SHA1

6d1a74404dde4bf2cb352164df93d5a2ddf12386
SHA256

34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c
SHA512

02ad199440d259a98e9892ac43825c745a142421afde951a95c70ec435e9a6df321e4d12a6ea36f981f35eec2e4e34abc38746ea6e26109de3e32e725c82da94
SSDEEP

49152:/zeqaA8fG9XnjS6OnXds7aMdc1otuL8wRswq8LxS2TLJ9f8KywtrE3NYUxGC5BU7:b5gUVOXdP+c1EuzPLxNJywtgdExIUk0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1436	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3748	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3748	MSIEXEC.EXE
Token: SeSecurityPrivilege	4452	msiexec.exe
Token: SeCreateTokenPrivilege	3748	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	3748	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	3748	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3748	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	3748	MSIEXEC.EXE
Token: SeTcbPrivilege	3748	MSIEXEC.EXE
Token: SeSecurityPrivilege	3748	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	3748	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	3748	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	3748	MSIEXEC.EXE
Token: SeSystemtimePrivilege	3748	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	3748	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	3748	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	3748	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	3748	MSIEXEC.EXE
Token: SeBackupPrivilege	3748	MSIEXEC.EXE
Token: SeRestorePrivilege	3748	MSIEXEC.EXE
Token: SeShutdownPrivilege	3748	MSIEXEC.EXE
Token: SeDebugPrivilege	3748	MSIEXEC.EXE
Token: SeAuditPrivilege	3748	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	3748	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	3748	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	3748	MSIEXEC.EXE
Token: SeUndockPrivilege	3748	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	3748	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	3748	MSIEXEC.EXE
Token: SeManageVolumePrivilege	3748	MSIEXEC.EXE
Token: SeImpersonatePrivilege	3748	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	3748	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3748	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1436	976	34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe	89
PID 976 wrote to memory of 1436	976	34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe	89
PID 976 wrote to memory of 1436	976	34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe	89
PID 1436 wrote to memory of 3748	1436	setup.exe	92
PID 1436 wrote to memory of 3748	1436	setup.exe	92
PID 1436 wrote to memory of 3748	1436	setup.exe	92

C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
"C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msrdpcli.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3748

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.INI

Filesize
56KB

MD5
10d0937f0034d610f5ceaec5423597dc

SHA1
4202c6f7aaa76c2e7e3c45e649097d38a28f2b02

SHA256
ab79c60cab3866812bb67d0b0116e0af4b6a6e7b673bd7572df563d5a961d632

SHA512
58505fa2896828090c068ea7328610c6e733ae0fb94c1f79631c1afcdf5c7f52131d98a3c4b62ee087ea5d9c6a9977afb756e179cb9abe02d61a9a81dec37f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msrdpcli.msi

Filesize
751KB

MD5
13fb585d7981d700fba8fb61c3584a72

SHA1
b6136fbe483351a887e5fff0671ff184fa4543ee

SHA256
792d59d9a0706193b291b4bab0e2ac9da12603062f67568228d381622367710b

SHA512
269a7a3917fbf55e090311e4422ad8735358e1516adb5622ad1793e9bbc68679cd09945037cf09be8410f140d6c833e392e29c44817e17420d0dff3222a06acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
84KB

MD5
b8edf8d30608ec72839a0289d67cc919

SHA1
01f8d8fa1f6ca7b1e452b5410e1c1596c914076f

SHA256
de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281

SHA512
f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
84KB

MD5
b8edf8d30608ec72839a0289d67cc919

SHA1
01f8d8fa1f6ca7b1e452b5410e1c1596c914076f

SHA256
de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281

SHA512
f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads