51f86163a42d075e226d7cfdab67ea6ff876f986c6ce20c35ab6cfc85cadb53a

General

Target

2e404029e99d2a78790b45bcefc41d08.exe
Size

1.5MB
MD5

2e404029e99d2a78790b45bcefc41d08
SHA1

db3f2986ba0b6454b23d7125da364449c07cf135
SHA256

51f86163a42d075e226d7cfdab67ea6ff876f986c6ce20c35ab6cfc85cadb53a
SHA512

97a4b7d72d906f17eb2b3027dfb3852b753423ad0a14fb1b2528ce6a35e5b660a53824e1450111ab2232efab56a7ff37068452dda00a28bad3ed832fa690c765
SSDEEP

24576:c08eEfXxOuxjBNd5nrBxfk71tpqPvFQBGZvT3akwgvLJZDcOLNiMHpjL5:N8LfX9jhBxsoPvFQor3a/sLJZDckNHpZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
312	FACEBO~1.EXE
1096	Driver.exe
4640	COPIED~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e404029e99d2a78790b45bcefc41d08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FACEBO~1.EXE

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ADVAPI32.dll	FACEBO~1.EXE
File created	C:\Windows\SysWOW64\ADVAPI32.dll	FACEBO~1.EXE
File opened for modification	C:\Windows\SysWOW64\COMCTL32.dll	FACEBO~1.EXE
File created	C:\Windows\SysWOW64\COMCTL32.dll	FACEBO~1.EXE
File opened for modification	C:\Windows\SysWOW64\VERSION.dll	FACEBO~1.EXE
File created	C:\Windows\SysWOW64\VERSION.dll	FACEBO~1.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1096	Driver.exe
1096	Driver.exe
1096	Driver.exe
1096	Driver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4640	COPIED~1.EXE
4640	COPIED~1.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 312	1536	2e404029e99d2a78790b45bcefc41d08.exe	26
PID 1536 wrote to memory of 312	1536	2e404029e99d2a78790b45bcefc41d08.exe	26
PID 1536 wrote to memory of 312	1536	2e404029e99d2a78790b45bcefc41d08.exe	26
PID 312 wrote to memory of 1096	312	FACEBO~1.EXE	28
PID 312 wrote to memory of 1096	312	FACEBO~1.EXE	28
PID 312 wrote to memory of 1096	312	FACEBO~1.EXE	28
PID 1096 wrote to memory of 3428	1096	Driver.exe	49
PID 1096 wrote to memory of 3428	1096	Driver.exe	49
PID 1096 wrote to memory of 3428	1096	Driver.exe	49
PID 1096 wrote to memory of 3428	1096	Driver.exe	49
PID 1536 wrote to memory of 4640	1536	2e404029e99d2a78790b45bcefc41d08.exe	99
PID 1536 wrote to memory of 4640	1536	2e404029e99d2a78790b45bcefc41d08.exe	99
PID 1536 wrote to memory of 4640	1536	2e404029e99d2a78790b45bcefc41d08.exe	99

C:\Users\Admin\AppData\Local\Temp\2e404029e99d2a78790b45bcefc41d08.exe
"C:\Users\Admin\AppData\Local\Temp\2e404029e99d2a78790b45bcefc41d08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FACEBO~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Driver.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Driver.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COPIED~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\COPIED~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-10-0x0000000000580000-0x00000000005B9000-memory.dmp

Filesize
228KB

Download
memory/312-12-0x0000000077242000-0x0000000077243000-memory.dmp

Filesize
4KB

Download
memory/312-32-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/312-20-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/312-19-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/312-16-0x0000000077233000-0x0000000077234000-memory.dmp

Filesize
4KB

Download
memory/312-15-0x0000000077243000-0x0000000077244000-memory.dmp

Filesize
4KB

Download
memory/312-7-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/312-9-0x0000000000510000-0x0000000000514000-memory.dmp

Filesize
16KB

Download
memory/312-11-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/312-13-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/312-8-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/312-14-0x00000000760B0000-0x00000000761A0000-memory.dmp

Filesize
960KB

Download
memory/312-33-0x00000000760B0000-0x00000000761A0000-memory.dmp

Filesize
960KB

Download
memory/312-34-0x0000000000580000-0x00000000005B9000-memory.dmp

Filesize
228KB

Download
memory/1096-31-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1096-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1096-24-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1096-30-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/3428-27-0x000000007FFD0000-0x000000007FFD1000-memory.dmp

Filesize
4KB

Download
memory/3428-26-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4640-38-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/4640-39-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads