b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb

General

Target

08335bdd48a24722cad27405aa41b915.exe
Size

2.5MB
MD5

08335bdd48a24722cad27405aa41b915
SHA1

176854b69dfab7ec3520e25f90dbc516ff7672d4
SHA256

b15800d9e86b483c3c2473e20255c247c4879c5d9305590b2eb779871bb136fb
SHA512

4897e5818a582646991560b19c32db33aaf0dada0051bd258d153a4234a648be9b4521079fde3041188ddca74005da36ffbacfee6c25947cda6a61aa6b1f148b
SSDEEP

49152:GDKeuUS/fe2a2AN8jrqXgOWqaSyJYhZcn3uOoaX6uKP5P0z4YxAwuLNKRUqHyuHg:QK5UUeOk8jrqXLyW3yuIQKhSwuRWSaHH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Ue3JF47.exefv8zB07.exe2Dd4530.exe

pid process

2088 Ue3JF47.exe
1968 fv8zB07.exe
2184 2Dd4530.exe
Loads dropped DLL 6 IoCs

Processes:

08335bdd48a24722cad27405aa41b915.exeUe3JF47.exefv8zB07.exe2Dd4530.exe

pid process

1072 08335bdd48a24722cad27405aa41b915.exe
2088 Ue3JF47.exe
2088 Ue3JF47.exe
1968 fv8zB07.exe
1968 fv8zB07.exe
2184 2Dd4530.exe

pid	process
2088	Ue3JF47.exe
1968	fv8zB07.exe
2184	2Dd4530.exe

pid	process
1072	08335bdd48a24722cad27405aa41b915.exe
2088	Ue3JF47.exe
2088	Ue3JF47.exe
1968	fv8zB07.exe
1968	fv8zB07.exe
2184	2Dd4530.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

08335bdd48a24722cad27405aa41b915.exeUe3JF47.exefv8zB07.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08335bdd48a24722cad27405aa41b915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ue3JF47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fv8zB07.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

68 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2308 2788 WerFault.exe 5tt6EV0.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1312 schtasks.exe
1884 schtasks.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2Dd4530.exe

pid process

2184 2Dd4530.exe
2184 2Dd4530.exe
2184 2Dd4530.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2Dd4530.exe

pid process

2184 2Dd4530.exe
2184 2Dd4530.exe
2184 2Dd4530.exe

flow	ioc
68	ipinfo.io

pid	pid_target	process	target process
2308	2788	WerFault.exe	5tt6EV0.exe

pid	process
1312	schtasks.exe
1884	schtasks.exe

pid	process
2184	2Dd4530.exe
2184	2Dd4530.exe
2184	2Dd4530.exe

pid	process
2184	2Dd4530.exe
2184	2Dd4530.exe
2184	2Dd4530.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

08335bdd48a24722cad27405aa41b915.exeUe3JF47.exefv8zB07.exe2Dd4530.exe

description	pid	process	target process
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 1072 wrote to memory of 2088	1072	08335bdd48a24722cad27405aa41b915.exe	Ue3JF47.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 2088 wrote to memory of 1968	2088	Ue3JF47.exe	fv8zB07.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 1968 wrote to memory of 2184	1968	fv8zB07.exe	2Dd4530.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2588	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2696	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe
PID 2184 wrote to memory of 2708	2184	2Dd4530.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\08335bdd48a24722cad27405aa41b915.exe
"C:\Users\Admin\AppData\Local\Temp\08335bdd48a24722cad27405aa41b915.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
1⤵
PID:2588

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2
2⤵
PID:2504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
1⤵
PID:2456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
1⤵
PID:2920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tt6EV0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tt6EV0.exe
1⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
2⤵
PID:2084

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
2⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2420
2⤵
- Program crash
PID:2308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
1⤵
PID:2708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
1⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Dd4530.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Dd4530.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1884

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fv8zB07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fv8zB07.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
Filesize
894KB

MD5
5c78a47219465b9e1756e4cc77af2de2

SHA1
4cce774db93d89bc78200f7b9d8435494d3e3595

SHA256
382b20743bd9cfdf97eef91aa068cf2be5143e441b831495bc84679982fcf5a4

SHA512
210438546954546aed8d5f6ab31db60e968b4352203b9c8df38ad3522190e53848b7e1d0eaf30386ba51b6e4b57ceb30c7a3f2d237590c984f9edc17f70a0e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
Filesize
1.1MB

MD5
02d928fdb191300e05b78cbf447d9379

SHA1
814aa4ac92ad3bb758e2605ce0f1f8c6d425c3b5

SHA256
8695be132404ef969f8cf5e20929231151209801a20bdaef8b7823bcd75715bc

SHA512
16e5f32cff768aee52156b1afc04ee360aecde1794d62959bb71c5d7e677c64e6521a6097d71e1b99544d6db2da4fff773d3e3b0b061c3048559a648640ae0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fv8zB07.exe
Filesize
92KB

MD5
faa3b542733f4f8d1e79ff7a33a79e26

SHA1
c2684f80e4603cdd432fcdcaab594e7a578d2f9a

SHA256
712c0eabdb9197db4b8f02c3c78937c5810a27a67ffea86eb94614947f7518c4

SHA512
eda7a10561adbb47597735ed16716e7f69808dc6b4c50232ac596b65349980c6bbb92b9fd16823befcc1b6a0a1edc43d204dd9b6adad514d7fc37059bae80e75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
Filesize
896KB

MD5
5641d068d22abbf5265d06adb03e14c1

SHA1
332aaeed2fbff5841b3cf37ad40cf5ece1e1a77c

SHA256
d7ed3e49f511507a75de35577d214255fcc916b37d520d8d376085dde425f84d

SHA512
7e40f864cf6b0c293b4864d9249d37e46839d654e982104e011abe258b9f81ec6a5644a952336e63ec64bc39d04cb045fb7aa2dfbf3f35f7899ca0fe0e895190

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ue3JF47.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\fv8zB07.exe
Filesize
99KB

MD5
3ff21aa53f2591478420a9de8222e5ec

SHA1
3f9179bfbe344c937caf1da0eec1fd556e47ddd4

SHA256
0d80a2eda7e65076b551827e5b4f7c6107c54b03623657e6dfd30ea067d205d2

SHA512
61616575cf36efdbe6b274a965c2fbbaff2e1c3edd9498c5d9155d948ccfca70de609e287cab1b10658941577ebac87460c993fd322c70502e1c5ee941283ad0

Download Submit
memory/1968-33-0x0000000002A40000-0x0000000002E9E000-memory.dmp

Filesize
4.4MB

Download
memory/2336-47-0x000000006D8A0000-0x000000006DE4B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-45-0x000000006D8A0000-0x000000006DE4B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-46-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2788-55-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/2788-42-0x0000000000100000-0x000000000055E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-37-0x0000000000100000-0x000000000055E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-38-0x00000000012C0000-0x000000000171E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-350-0x0000000000100000-0x000000000055E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-990-0x00000000012C0000-0x000000000171E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-1081-0x0000000000100000-0x000000000055E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-1094-0x0000000000100000-0x000000000055E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads