9007c66480b01bc7facc0b0c16c7946460443d5ec9d69faf31a975ef6be212b6

General

Target

0c8892b46f2e58ca0ef0789ec0a1ef76.exe
Size

688KB
MD5

0c8892b46f2e58ca0ef0789ec0a1ef76
SHA1

32f4e5c400c29aecd3f8066349a512a6fb6364c7
SHA256

9007c66480b01bc7facc0b0c16c7946460443d5ec9d69faf31a975ef6be212b6
SHA512

b6dfac695fb1eebd4997e0a1320b78ce4d6a017cb22d6b347ea3c407b557a558a5ce961e04beaddb3ff0f4d807482b335ac1f5edfc6e41afe75d8f20fc5bc2e0
SSDEEP

12288:DNUSFUl3DT1KoBfh4boHZXdo3zEYWgF3Z4mxxsDqVTVOCp8:5Lw3Dnf6oHZXe3zEbgQmXLVTzp8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2704	4.exe
2680	svghost.exe
784	4.exe

Loads dropped DLL 4 IoCs

pid	Process
2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe
2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe
2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe
2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c8892b46f2e58ca0ef0789ec0a1ef76.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svghost.exe	4.exe
File opened for modification	C:\Windows\svghost.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe
File opened for modification	C:\Windows\svghost.exe	4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	4.exe
Token: SeDebugPrivilege	2680	svghost.exe
Token: SeDebugPrivilege	784	4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	svghost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2704	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	28
PID 2416 wrote to memory of 2704	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	28
PID 2416 wrote to memory of 2704	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	28
PID 2416 wrote to memory of 2704	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	28
PID 2680 wrote to memory of 1716	2680	svghost.exe	30
PID 2680 wrote to memory of 1716	2680	svghost.exe	30
PID 2680 wrote to memory of 1716	2680	svghost.exe	30
PID 2680 wrote to memory of 1716	2680	svghost.exe	30
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2704 wrote to memory of 2968	2704	4.exe	31
PID 2416 wrote to memory of 784	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	33
PID 2416 wrote to memory of 784	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	33
PID 2416 wrote to memory of 784	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	33
PID 2416 wrote to memory of 784	2416	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	33

C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe
"C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:784

C:\Windows\svghost.exe
C:\Windows\svghost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
547KB

MD5
f111806cad97ae8758f64783e61a770f

SHA1
8f62303bb5f83bd40402f00f2b84d404948a7d47

SHA256
1308ffa077b72f8490dc7d98d43e69fad051b1b00c4c1b2960cc6d76d239823d

SHA512
393645b83eb32f380fce125ae895cea9403893b119399972f3ac3077668a9dc9e6f11799c3fb5793355750cff64521fad5bea72ff5f425f763c7acf5da0586be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
727KB

MD5
8d27ea6c18b584956c58f192cc36091b

SHA1
c7c487b6e8e72e1410cab83807c6f2b578710c50

SHA256
0b2b615263cd7ee9fea8b4679a7215d958f292fb7bf5454e01703de46e6db970

SHA512
b2fc4c0c308e0f21f86f227ee1bcdacd4eca584a26f0731e02028c209827f3cc47d330e58ed9df39e0955c02230360a69eddd7d05a85d7aad99ff49b6d229800

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
239KB

MD5
c1ec8fecbba35117c1d8f12765abfead

SHA1
577e9365b2f325d2d412d9974dce50455cbbc364

SHA256
4d77694d587e819d1bf8c3400b9e089ab08485650e6c3e2c11c4982b17263b44

SHA512
4bad12e10b0a613aa22ffaf22df3cba9674145c9247e4883f0db681bfb333e0c2e731567799797ff70a044a525a8a0b37e74a971290abe0a552a3feb6411b7b1

Download Submit
C:\Windows\svghost.exe

Filesize
785KB

MD5
1318f463852de4d46708222a129992d1

SHA1
56f0a2dd207bb4cb4d17c6fab6634e5b69be4ee1

SHA256
1b93312ca05dd5036147b919acf43868439a6bc350fbd2175299918794a311a7

SHA512
7ecffc405c76dc21a596aabba382a51ebb47145d5ea6740054b6948b1d791cfe2bdac39fe0e8053be25c23d623078c263a85f2d3c71f4a4f49b64f2dd9b65438

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
701KB

MD5
4fc439d7978d4ec65e9d1bc03a237464

SHA1
701ca4499bfbbf9f4eee8395015453281ca50c59

SHA256
17139bf614371665c5ea6c96b9e440e8e4f1e2074b4083193b17f965decb8d88

SHA512
1a248a0fa013f0d1692a563aaef42d7130e9437cae27efc9f7a4c5c51e9471b694e9627f8772e88b4dd0fc1c6354ffa15de68c35e38c8944cbbd5e79b584b7bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
394KB

MD5
ef69673663a47e4f0a27bd077b52859f

SHA1
441238a4a93efdc293fd02a15f9f6fc264fa1d96

SHA256
71e57b1529fc72009147bcd0f2ce3faecccad2e55289f0a2e05dc2033e070ecc

SHA512
987c27b6585c39a784ad97c91fb05858069ded0f7debb7694a50aeddf69f59911a2213e90c97da3c91c70569e92070694beb0d033ef25ee0b2d572688cdbdce5

Download Submit
memory/784-54-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/784-52-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2416-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2416-13-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2416-24-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2416-22-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2416-21-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2416-20-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2416-19-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2416-18-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2416-11-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2416-10-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2416-9-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2416-0-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/2416-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2416-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2416-12-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2416-23-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2416-14-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2416-15-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/2416-16-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2416-56-0x0000000000250000-0x00000000002A4000-memory.dmp

Filesize
336KB

Download
memory/2416-17-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2416-55-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/2416-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000250000-0x00000000002A4000-memory.dmp

Filesize
336KB

Download
memory/2416-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2680-39-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2680-57-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2680-58-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2680-59-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2680-63-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2704-48-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2704-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads