e826dcb72561c592c31a3de72b315c872733a6beb2f00bc736d43a62f77d993b

General

Target

04a3ec3cd511e044c5cb1bcef4a0a38c.exe
Size

1.1MB
MD5

04a3ec3cd511e044c5cb1bcef4a0a38c
SHA1

dd8f168bf9f4a31ca1191986293b48bbaba68fdc
SHA256

e826dcb72561c592c31a3de72b315c872733a6beb2f00bc736d43a62f77d993b
SHA512

df816b06203cba883605f1e46cd3c20988bf6e42c7cb46e2db885d880de993faa13bd8e0fecaaabeb243c699789c469d531b57c1b4cf5a7f1918f90e8970c774
SSDEEP

24576:yTjd8EHRD/uFroZKzX/1nnO/1hcBpaKpd9gr4ZrQmX/qYLAeh:4d8O5/ut7dnOthcBpaSMoMmSEFh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2496	QQEXPL~1.EXE

Loads dropped DLL 2 IoCs

pid	Process
2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe
2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	04a3ec3cd511e044c5cb1bcef4a0a38c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	QQEXPL~1.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2496	2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe	28
PID 2144 wrote to memory of 2496	2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe	28
PID 2144 wrote to memory of 2496	2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe	28
PID 2144 wrote to memory of 2496	2144	04a3ec3cd511e044c5cb1bcef4a0a38c.exe	28

C:\Users\Admin\AppData\Local\Temp\04a3ec3cd511e044c5cb1bcef4a0a38c.exe
"C:\Users\Admin\AppData\Local\Temp\04a3ec3cd511e044c5cb1bcef4a0a38c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE

Filesize
265KB

MD5
1deeaab805ebe9b084056c8d00ed037c

SHA1
2a4ed9e7a91e20e96e5c6148cbe01b097e4e6f09

SHA256
de31809ade3e3f17ee93bd810f379e8429cfa309a008d85b0210d7f29a072335

SHA512
98aa0ec81beb9ef55785ec1f40ee0a9114d9af44e11aca49ff34924a0fa635a14ba06d51012a99e1ca1d9e72b193bb3a73df49f26776cbd447ebc240b58a8993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE

Filesize
228KB

MD5
3bf4ed6b65f88535616b3ceb4fe54b2b

SHA1
eeee439d74e3189b5848990da34d5722f8293898

SHA256
c7fcfa8439a5e40cb5dc587200a0a862d25bfd9716e336aff4c1112bf72279c8

SHA512
630232d9dc307607f6cbe0f92a83c58a8e83402c633e4f18f4bac39817c7ddf521be74305b5f6d033bf4c1feeb226f8fa1ea70279f03f5b3c883132f8036d798

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE

Filesize
255KB

MD5
68ec72a14fa8f8324b4a6e4ccb88032e

SHA1
9248b20820fd52770e9c9844879fc467d468fbc3

SHA256
de3eb80bad4d857db9ac709abb68d33d8bd7f10ae9134ae908efe80e7d6c5d72

SHA512
393eac22ac6777ce812308e14567954096a15319775fd4b8f45ca46ed917aa29b0f36513f2ecca080817ee5712fb078eff36ac5453b13df0191c83339d233587

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QQEXPL~1.EXE

Filesize
170KB

MD5
5577f7c200ed78a1418dc32fc1dc6266

SHA1
0c7e3822bdaa99c8e989b1b618834c38f7727caf

SHA256
3584b33517bb18046a05658864e5d557ec2338d20fd92b889cbeeaa57f713845

SHA512
3dcd61b1a4d54299bcac3627d2b33a311482194331f4f4d01b6287df7fda6232f89e632998b0c8c3cf22db489d534de8ebed413c69360674704806bd3d1bcd9f

Download Submit
memory/2144-9-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2144-16-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2144-22-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2144-21-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2144-26-0x00000000006A0000-0x00000000006F4000-memory.dmp

Filesize
336KB

Download
memory/2144-6-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2144-7-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2144-1-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2144-20-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/2144-19-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2144-18-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2144-17-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2144-37-0x0000000001000000-0x00000000011F1000-memory.dmp

Filesize
1.9MB

Download
memory/2144-23-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2144-13-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2144-12-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2144-11-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2144-10-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2144-0-0x0000000001000000-0x00000000011F1000-memory.dmp

Filesize
1.9MB

Download
memory/2144-8-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2144-5-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2144-4-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2144-2-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2496-36-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2496-39-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads