08b99e99ead4c703470efdf9e455907f2fdc333c4beed5de8d6bec94d75b67e2

General

Target

784ca02643e990429c39a7c440d2f68f.exe
Size

19.1MB
MD5

784ca02643e990429c39a7c440d2f68f
SHA1

fb5f994173c4897d46405f4831d65802f5cd14c1
SHA256

08b99e99ead4c703470efdf9e455907f2fdc333c4beed5de8d6bec94d75b67e2
SHA512

061b9082de1bfc28d67212317f5ccdd0820003a273f416583e48ebe2f10e656c88a54fc4d20dee33ae8b463c50327a1e54efc3860f34bc2bc9d049bc333fec88
SSDEEP

393216:NiC/Iv06yIWmKiX8JwnQGgknE2Lf4WxTzCWI98rJZpARXTWQ7FKZ:uvxyIrTX8JQdnvLf/TdTAR3BKZ

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2752	CDS.exe
2560	crypted.exe

Loads dropped DLL 8 IoCs

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	784ca02643e990429c39a7c440d2f68f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2580	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2752	CDS.exe
2752	CDS.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2440 wrote to memory of 2752	2440	784ca02643e990429c39a7c440d2f68f.exe	39
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38
PID 2752 wrote to memory of 2560	2752	CDS.exe	38

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\crypted.exe"
1⤵
PID:2932
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\CDS.exe
  2⤵
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\crypted.exe"
    3⤵
    PID:1440

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\CDS.exe
1⤵
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\crypted.exe"
  2⤵
  PID:2736

C:\Users\Admin\AppData\Local\Temp\CSGO.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO.exe"
1⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
1⤵
PID:1980
- C:\Windows\SysWOW64\csgo\csgo.exe
  "C:\Windows\SysWOW64\csgo\csgo.exe"
  2⤵
  PID:2812

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\CDS.exe
1⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\crypted.exe"
1⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CDS.exe
1⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\crypted.exe"
1⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CDS.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
1⤵
- Executes dropped EXE
PID:2560