a8b8b0f8cb5ab46a10986ee2e868852e21c9910a0ae0bc9197474fb10127968e

General

Target

1a0b7ec112e6c2133d7336acce846b3f.exe
Size

488KB
MD5

1a0b7ec112e6c2133d7336acce846b3f
SHA1

e49757a901c694936640a7aa780be9644a3041f3
SHA256

a8b8b0f8cb5ab46a10986ee2e868852e21c9910a0ae0bc9197474fb10127968e
SHA512

db64ccf90ac5fd001c42099e4722888fa21e4e87bdbb6e51caf875678b49ac7d562946271db56717f721814efe25acf820016b35d4f81e9050feb49394efb5ad
SSDEEP

12288:PtyPPTS3rYED+7X2OW8dbDBSlhaceMJnY:sXT1Ey7X2+Du2M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4468	pxador.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\WINDOWS\\msapps\\msinfo\\aprouch\\svchosts.exe"	1a0b7ec112e6c2133d7336acce846b3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxador.exe = "C:\\WINDOWS\\msapps\\msinfo\\aprouch\\pxador.exe"	1a0b7ec112e6c2133d7336acce846b3f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchosts.exe = "C:\\WINDOWS\\msapps\\msinfo\\aprouch\\svchosts.exe"	pxador.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pxador.exe = "C:\\WINDOWS\\msapps\\msinfo\\aprouch\\pxador.exe"	pxador.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\msapps\msinfo\aprouch\out.exe	pxador.exe
File created	C:\WINDOWS\explo.bat	1a0b7ec112e6c2133d7336acce846b3f.exe
File created	C:\WINDOWS\msapps\msinfo\aprouch\pxador.exe	1a0b7ec112e6c2133d7336acce846b3f.exe
File opened for modification	C:\WINDOWS\msapps\msinfo\aprouch\pxador.exe	1a0b7ec112e6c2133d7336acce846b3f.exe
File opened for modification	C:\WINDOWS\explo.bat	pxador.exe
File created	C:\WINDOWS\msapps\msinfo\aprouch\update.exe	pxador.exe
File created	C:\WINDOWS\msapps\msinfo\aprouch\out.exe	pxador.exe
File opened for modification	C:\WINDOWS\msapps\msinfo\aprouch\update.exe	pxador.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1780	reg.exe
2172	reg.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4772	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	22
PID 4072 wrote to memory of 4772	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	22
PID 4072 wrote to memory of 4772	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	22
PID 4772 wrote to memory of 1780	4772	cmd.exe	23
PID 4772 wrote to memory of 1780	4772	cmd.exe	23
PID 4772 wrote to memory of 1780	4772	cmd.exe	23
PID 4072 wrote to memory of 4468	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	96
PID 4072 wrote to memory of 4468	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	96
PID 4072 wrote to memory of 4468	4072	1a0b7ec112e6c2133d7336acce846b3f.exe	96
PID 4468 wrote to memory of 4780	4468	pxador.exe	98
PID 4468 wrote to memory of 4780	4468	pxador.exe	98
PID 4468 wrote to memory of 4780	4468	pxador.exe	98
PID 4780 wrote to memory of 2172	4780	cmd.exe	99
PID 4780 wrote to memory of 2172	4780	cmd.exe	99
PID 4780 wrote to memory of 2172	4780	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\1a0b7ec112e6c2133d7336acce846b3f.exe
"C:\Users\Admin\AppData\Local\Temp\1a0b7ec112e6c2133d7336acce846b3f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\explo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1780
- C:\WINDOWS\msapps\msinfo\aprouch\pxador.exe
  C:\WINDOWS\msapps\msinfo\aprouch\pxador.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\WINDOWS\explo.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /F
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\explo.bat

Filesize
77B

MD5
842a5b9784004744843472d6c3440c60

SHA1
a61b7111c76dec741fb98b1eef6e6c45a02e6091

SHA256
f335661fabddf3ecca56756521b02fc9ae3c28952054eb8001dd6563a1c3b70b

SHA512
89a97e327c595239ba0d4718b09d6bb89a284b030ce32a4d54d8c81a964d13038f1e2107bb19c90a62a90036358cd6ffcd01699b310ebb74905254357fda876b

Download Submit
C:\WINDOWS\msapps\msinfo\aprouch\pxador.exe

Filesize
148KB

MD5
8e3ae5ddafb14401d82924b4ffbbd7d2

SHA1
ac71a0f96fd449d5fe60d933af6e3a1c0ab2b90a

SHA256
99720b70bce84554160af1fe1dc97d2f381d67267344bd8d7734d653df2ecce6

SHA512
9df8653e5753aee68fb902f6a2296077e7dccb97be7da9749f328dfbc59c85e23a1d53f740d3e1876493935b9f6e9bd6da68fef5ea2056b5e4839b93ae952e39

Download Submit
C:\Windows\msapps\msinfo\aprouch\pxador.exe

Filesize
210KB

MD5
fa45300f04a956adbe1112bc047e68c5

SHA1
143033c4aeabb1dec8a752f48c285c7b40b69c76

SHA256
2114031e4f94227c7bebc4446d5c754fdced567a289f69f2d680545e960562ce

SHA512
17b6f8494c1707405a3afa537102e64eb3bea2be4e150c469ebacd32b2078dd4d244ccfec6bec4fbc38c332897e3844d89dd2188c0fdb530f8ea3ebdc99ff515

Download Submit
memory/4072-0-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4072-12-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4468-8-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4468-19-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4468-51-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads