98c9acf837fbbc68d049e242f18cb975269c4fbb4b5c9772a2d76dd3f54b65fa

General

Target

72ea3b45b5d105a71168fc7afe30408d.exe
Size

113KB
MD5

72ea3b45b5d105a71168fc7afe30408d
SHA1

a55950992079f23bc9aee95edb09d3b70c417e22
SHA256

98c9acf837fbbc68d049e242f18cb975269c4fbb4b5c9772a2d76dd3f54b65fa
SHA512

b3c51ec3dcacb78d9cded98cbcdb1292756710d95e5a56630bb09b765540363fb859f2b777fd1c1adfb38508a86ec55c8b81d361f95caf81354e296459781fa7
SSDEEP

3072:YgSmjEAN+OkX6A88q8WtC8ete3O8EcZTlyfzGvL9Vv:YgSax+z6ADo79OFJ7GvB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2968	t2k.exe
2564	t1r.exe

Loads dropped DLL 4 IoCs

pid	Process
2904	72ea3b45b5d105a71168fc7afe30408d.exe
2904	72ea3b45b5d105a71168fc7afe30408d.exe
2904	72ea3b45b5d105a71168fc7afe30408d.exe
2904	72ea3b45b5d105a71168fc7afe30408d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	72ea3b45b5d105a71168fc7afe30408d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\systemtl2jp.dll	t2k.exe
File opened for modification	C:\Windows\SysWOW64\Ir32_a.exe	t1r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FDEB171-8F86-0002-0001-69B8DB553683}\InProcServer32\ = "C:\\Windows\\SysWow64\\systemtl2jp.dll"	t2k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FDEB171-8F86-0002-0001-69B8DB553683}\InProcServer32\ThreadingModel = "Apartment"	t2k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FDEB171-8F86-0002-0001-69B8DB553683}	t2k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FDEB171-8F86-0002-0001-69B8DB553683}\	t2k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3FDEB171-8F86-0002-0001-69B8DB553683}\InProcServer32	t2k.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2564	t1r.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	t1r.exe
Token: SeSystemtimePrivilege	2564	t1r.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2968	2904	72ea3b45b5d105a71168fc7afe30408d.exe	19
PID 2904 wrote to memory of 2968	2904	72ea3b45b5d105a71168fc7afe30408d.exe	19
PID 2904 wrote to memory of 2968	2904	72ea3b45b5d105a71168fc7afe30408d.exe	19
PID 2904 wrote to memory of 2968	2904	72ea3b45b5d105a71168fc7afe30408d.exe	19
PID 2968 wrote to memory of 1728	2968	t2k.exe	18
PID 2968 wrote to memory of 1728	2968	t2k.exe	18
PID 2968 wrote to memory of 1728	2968	t2k.exe	18
PID 2968 wrote to memory of 1728	2968	t2k.exe	18
PID 2904 wrote to memory of 2564	2904	72ea3b45b5d105a71168fc7afe30408d.exe	16
PID 2904 wrote to memory of 2564	2904	72ea3b45b5d105a71168fc7afe30408d.exe	16
PID 2904 wrote to memory of 2564	2904	72ea3b45b5d105a71168fc7afe30408d.exe	16
PID 2904 wrote to memory of 2564	2904	72ea3b45b5d105a71168fc7afe30408d.exe	16
PID 2564 wrote to memory of 1268	2564	t1r.exe	7

C:\Users\Admin\AppData\Local\Temp\72ea3b45b5d105a71168fc7afe30408d.exe
"C:\Users\Admin\AppData\Local\Temp\72ea3b45b5d105a71168fc7afe30408d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1r.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t1r.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2k.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2k.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2968

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\aa.bat" "
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2k.exe

Filesize
48KB

MD5
374b6c5f7b3cf5871e3e3a88472fb08b

SHA1
ba90b89ae87ccac33e4723c7a449e8eb2f6250df

SHA256
8133be18e810d9e51d44bb80068aff437dfadc0c2689d6900a770fd1c1b17a82

SHA512
7aade8b644c4f1ea4016417006d041f5827d284a82b8289d22fef148b7105198b32b54f923eaa15d42d8bba851a1ce1ae2510b4f72d088df5a5f50270e0d0aa1

Download Submit
memory/1268-36-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2564-32-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2564-37-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2904-0-0x0000000001000000-0x000000000104C000-memory.dmp

Filesize
304KB

Download
memory/2904-33-0x0000000000180000-0x0000000000193000-memory.dmp

Filesize
76KB

Download
memory/2904-28-0x0000000000180000-0x0000000000193000-memory.dmp

Filesize
76KB

Download
memory/2904-38-0x0000000001000000-0x000000000104C000-memory.dmp

Filesize
304KB

Download
memory/2968-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads