818e0c6a88022f0eb31f59f5c9ba901d32340f28946ebcfeee90884b48ff6224

General

Target

133609987b5845873bd41700cd9f098a.exe
Size

191KB
MD5

133609987b5845873bd41700cd9f098a
SHA1

e90efbec5f8e91b552767075c5b928d413b17417
SHA256

818e0c6a88022f0eb31f59f5c9ba901d32340f28946ebcfeee90884b48ff6224
SHA512

ea7fa6804ed261921ce974ed5f073f2b6b126ed3ab051c0d1069b8a56e43eb499963dbba96009676bf97ea53074cd364d0d90166e6ec55e625711a5f2f3dd5c0
SSDEEP

3072:TEH+GiEs2SMylNOjyFbxJM5QcRGkHRQI+zapw42FjJh6N7iGn/BLpPf1ZLVc/TBs:TsehzRFkMkHaPzasFv6NucTPffklJ2jn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3712	08.exe
5056	QVODSE~1.EXE

Loads dropped DLL 1 IoCs

pid	Process
3712	08.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5056-13-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-15-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-16-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-18-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-20-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-21-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-23-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-25-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-26-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5056-28-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	133609987b5845873bd41700cd9f098a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.dll	08.exe

Program crash 1 IoCs

pid	pid_target	Process
1180	3712	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	08.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5056	QVODSE~1.EXE
5056	QVODSE~1.EXE
5056	QVODSE~1.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5056	QVODSE~1.EXE
5056	QVODSE~1.EXE
5056	QVODSE~1.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3712	736	133609987b5845873bd41700cd9f098a.exe	28
PID 736 wrote to memory of 3712	736	133609987b5845873bd41700cd9f098a.exe	28
PID 736 wrote to memory of 3712	736	133609987b5845873bd41700cd9f098a.exe	28
PID 3712 wrote to memory of 4520	3712	08.exe	18
PID 3712 wrote to memory of 4520	3712	08.exe	18
PID 3712 wrote to memory of 4520	3712	08.exe	18
PID 4520 wrote to memory of 3568	4520	cmd.exe	20
PID 4520 wrote to memory of 3568	4520	cmd.exe	20
PID 4520 wrote to memory of 3568	4520	cmd.exe	20
PID 736 wrote to memory of 5056	736	133609987b5845873bd41700cd9f098a.exe	27
PID 736 wrote to memory of 5056	736	133609987b5845873bd41700cd9f098a.exe	27
PID 736 wrote to memory of 5056	736	133609987b5845873bd41700cd9f098a.exe	27

C:\Users\Admin\AppData\Local\Temp\133609987b5845873bd41700cd9f098a.exe
"C:\Users\Admin\AppData\Local\Temp\133609987b5845873bd41700cd9f098a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3712

C:\Windows\SysWOW64\cmd.exe
cmd /c cacls C:\Windows\system32 /e /p everyone:f
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\cacls.exe
  cacls C:\Windows\system32 /e /p everyone:f
  2⤵
  PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 640
1⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3712 -ip 3712
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe

Filesize
36KB

MD5
03c078a7170ba7cf51eb07771619fe12

SHA1
732d91e5998d0a1c6fd52d17089cb1ab871e4e67

SHA256
914e59cf12869533b27888b75b9b5e5344e2068c15236938fd4fb6c7a4a962b1

SHA512
d1bf4d6de020425b7f4ce2e327efb25cea53360ee52d0319b3f09740fa915a32c4fe530876711b3dc0e34290fffa4935e10e33a88a057f22429e18b6e5a166fe

Download Submit
memory/5056-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-20-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-23-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-26-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5056-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads