97581894ac55f149b94de29fe27c632a4173c77c049cc46ce48750c06f20d81d

General

Target

060aed3596f437c7e58b822cd5394233.exe
Size

357KB
MD5

060aed3596f437c7e58b822cd5394233
SHA1

fa55463767cfa6cff6fa123f5a8a74a66c94324a
SHA256

97581894ac55f149b94de29fe27c632a4173c77c049cc46ce48750c06f20d81d
SHA512

29a2f8f3fcafe26efbc2e8298b94195d6d60b20536e73ac61080817b980e512daa992d55e0d83eaf698f8017046b2431be6281309da328254f219dd5c2841cf1
SSDEEP

6144:4IpbRF2idZecnl20lHRxp3g5rI0EnezGM7HSJkYAmhd5Ugh7TgdfB:TpbrF3Z4mxxknUqGGGkYThd5UcOp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2816	4.exe
1288	4.exe

Loads dropped DLL 2 IoCs

pid	Process
1444	060aed3596f437c7e58b822cd5394233.exe
1444	060aed3596f437c7e58b822cd5394233.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	060aed3596f437c7e58b822cd5394233.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\4.exe	4.exe
File opened for modification	C:\Windows\SysWOW64\4.exe	4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2816	1444	060aed3596f437c7e58b822cd5394233.exe	28
PID 1444 wrote to memory of 2816	1444	060aed3596f437c7e58b822cd5394233.exe	28
PID 1444 wrote to memory of 2816	1444	060aed3596f437c7e58b822cd5394233.exe	28
PID 1444 wrote to memory of 2816	1444	060aed3596f437c7e58b822cd5394233.exe	28
PID 2816 wrote to memory of 2680	2816	4.exe	30
PID 2816 wrote to memory of 2680	2816	4.exe	30
PID 2816 wrote to memory of 2680	2816	4.exe	30
PID 2816 wrote to memory of 2680	2816	4.exe	30

C:\Users\Admin\AppData\Local\Temp\060aed3596f437c7e58b822cd5394233.exe
"C:\Users\Admin\AppData\Local\Temp\060aed3596f437c7e58b822cd5394233.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe > nul
    3⤵
    PID:2680

C:\Windows\SysWOW64\4.exe
C:\Windows\SysWOW64\4.exe
1⤵
- Executes dropped EXE
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
21KB

MD5
a53105885bfbb992e3762a16cbbf7464

SHA1
981c848789e283a71f77ce76a8c09c5d40bdf62e

SHA256
2ae334d84d892b4a69d25339f590de3d6a3ffd07f092e49bca463a712ae67656

SHA512
675e317d8c18ceba7a939342ed99b9a5cfaf689cd8b7d9ff807f8028421818d3ce2ab805aaa0954e19254dbbd5e2fdfedeeb7297fc2e50cbd54b51ae27a72cb9

Download Submit
memory/1288-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1444-9-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1444-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1444-23-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1444-21-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1444-20-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1444-19-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1444-18-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1444-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1444-16-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1444-15-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1444-14-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1444-13-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1444-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1444-11-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1444-22-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1444-0-0x0000000001000000-0x0000000001071000-memory.dmp

Filesize
452KB

Download
memory/1444-4-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1444-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1444-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1444-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1444-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/1444-26-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1444-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1444-34-0x00000000030D0000-0x0000000003116000-memory.dmp

Filesize
280KB

Download
memory/1444-35-0x00000000030D0000-0x0000000003116000-memory.dmp

Filesize
280KB

Download
memory/1444-43-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/1444-8-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1444-42-0x0000000001000000-0x0000000001071000-memory.dmp

Filesize
452KB

Download
memory/2816-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2816-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads