3d6533fc7e36445d6d153810fefcca4edf3cb19f215c587ce5981c2451b17b6b

General

Target

0e61d7c0e3623227bc01746a8ef1aa49.exe
Size

1.1MB
MD5

0e61d7c0e3623227bc01746a8ef1aa49
SHA1

3a7f4ade88c90cc6337f4328203bcbf312982d8f
SHA256

3d6533fc7e36445d6d153810fefcca4edf3cb19f215c587ce5981c2451b17b6b
SHA512

41728797dd21387754c133e8b7b92e5be631c2227dd68db895751987e584627d30c786539eb9c813c635e46c916fb9ee7b59c2bdb87d087a2092fdc0abb25a52
SSDEEP

24576:fgTx3/uEeDZcCH4+9a8depEUQpK3uEKjkw3CC6UtpAgzLIuo1h5jK:22EyZcCH9a8wpEJ8aChZiLeVj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4300	CLEANM~1.EXE
872	CLEANM~1.EXE
1484	autorun.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002320e-14.dat	upx
behavioral2/memory/1484-15-0x0000000000400000-0x00000000006F3000-memory.dmp	upx
behavioral2/files/0x000800000002320e-13.dat	upx
behavioral2/memory/1484-26-0x0000000000400000-0x00000000006F3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e61d7c0e3623227bc01746a8ef1aa49.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4300 set thread context of 872	4300	CLEANM~1.EXE	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
872	CLEANM~1.EXE
872	CLEANM~1.EXE
872	CLEANM~1.EXE
872	CLEANM~1.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 4300	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	24
PID 1308 wrote to memory of 4300	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	24
PID 1308 wrote to memory of 4300	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	24
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 4300 wrote to memory of 872	4300	CLEANM~1.EXE	30
PID 1308 wrote to memory of 1484	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	29
PID 1308 wrote to memory of 1484	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	29
PID 1308 wrote to memory of 1484	1308	0e61d7c0e3623227bc01746a8ef1aa49.exe	29
PID 872 wrote to memory of 3364	872	CLEANM~1.EXE	52
PID 872 wrote to memory of 3364	872	CLEANM~1.EXE	52
PID 872 wrote to memory of 3364	872	CLEANM~1.EXE	52
PID 872 wrote to memory of 3364	872	CLEANM~1.EXE	52

C:\Users\Admin\AppData\Local\Temp\0e61d7c0e3623227bc01746a8ef1aa49.exe
"C:\Users\Admin\AppData\Local\Temp\0e61d7c0e3623227bc01746a8ef1aa49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  2⤵
  - Executes dropped EXE
  PID:1484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
26KB

MD5
00fbb2222a93394dadcb7968bf05e7f0

SHA1
f4ca33ff9a4fb242853b280c9075d59d48f28286

SHA256
8057480a1954dbf35bc891b3453cc4c8ca9a6599124dbe31a97199fb82c0b18a

SHA512
f03027503f0afc0d8160870a7e691dc192a83b2fdaaae0a43fb076c0bb3a5b7185bdd46fbc4472d087b821c2d6a940f28f3afc4f4fdf818c2078cf3e91e82da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
57KB

MD5
29a488bc8c0cda7bb3f488b1125e20ca

SHA1
8e15f27bbafd6b12267d19a395b9d5411520657c

SHA256
b38ea6f50c498b21cb241b54dec996f1eaa8e890e4c8803000c1e0fc9689dbc4

SHA512
f0e59ea3382b75bce7a07b59993dea201c01f320ce0241de35d2caea5c15e92dbfec4eacb727f0ab94fa0e80cf48d53155d5082790cf3a3015541493d986fd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
14KB

MD5
d09e7358b89fe509cc2e38d67a45a8fb

SHA1
50763c50715a6df16ae9e1986daee5d28fc6b7bd

SHA256
4b662323508b1110e2847ad8c3f981f97c0abf039ca0f8e67742c433a146754a

SHA512
f891cfc699d2f49c34bbd8c7e775ecb15ba1ad8751aceecab88a136173168084dd855ad8a7482ef0ae3385cc6784a543040e57a42ece3471fec2e77cb721608f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
27KB

MD5
2734bf2f34e15ab515d70f3b34052616

SHA1
ea0f0411edeca4bacc61e2ea280670fec0d7b8a7

SHA256
396890233d557fc2f74233eb35486823fa2e4142e7a2c7aceba2a938e0c252ec

SHA512
11c616027396c226e37e84701582f41bf7ac512e88a75f937c8f4627db2cb3f1ccce7bd0dde547510ad202f556cd31cbfb337234c6b7217eb35ae833defee3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
17KB

MD5
012d110bf6abc8afc6f7dfc9ee84ae07

SHA1
2b5bea9f98525e94b8dde883fcebcb85ffe4ce11

SHA256
3065e4ce756c1f074f4a293ead98b2369ff42776d4dbc49774023ab5531821de

SHA512
437c388291826b3e632ba0cc6633821a1127fcd9ace7061631dcb4150e8ce617385d80f623744b628a54b5ed2f76dd965a75595897e28e50a8e01d4ec7902ed2

Download Submit
memory/872-18-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/872-10-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/872-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/872-24-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/872-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/872-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/872-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1484-15-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/1484-17-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1484-26-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/1484-28-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3364-20-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3364-19-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads