9d29e46279d436e1a9f05030b652779510edc61a9d4fb076b4b8b50a58496f48

General

Target

ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe
Size

4.7MB
MD5

e1b479517b08d166306f1cc258a1860e
SHA1

3ce511c50f9b8f8f80c9f2dd0e1fccdb22137dea
SHA256

ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb
SHA512

7be43e0aeda958b2c63b5961ba7bee46e77d1322b69a31b5e48bd7a99a280bb4f0a959b2169713952f4395ff60767565a06c811dbd8f5b8db11b09526c8bc229
SSDEEP

98304:XtwMrEmF6o69khxgoV55TJusJkEQefpCHH/B/JW7kqObjGAFGA3WwGcbeht6:XtwMrS1u9tJkERfp+9hGAFNGGZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	Setup.Exe

Loads dropped DLL 4 IoCs

pid	Process
2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe
1048	Setup.Exe
1048	Setup.Exe
1048	Setup.Exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Setup.Exe
File opened (read-only)	\??\A:	Setup.Exe
File opened (read-only)	\??\I:	Setup.Exe
File opened (read-only)	\??\R:	Setup.Exe
File opened (read-only)	\??\O:	Setup.Exe
File opened (read-only)	\??\T:	Setup.Exe
File opened (read-only)	\??\Z:	Setup.Exe
File opened (read-only)	\??\H:	Setup.Exe
File opened (read-only)	\??\K:	Setup.Exe
File opened (read-only)	\??\L:	Setup.Exe
File opened (read-only)	\??\M:	Setup.Exe
File opened (read-only)	\??\Q:	Setup.Exe
File opened (read-only)	\??\S:	Setup.Exe
File opened (read-only)	\??\V:	Setup.Exe
File opened (read-only)	\??\E:	Setup.Exe
File opened (read-only)	\??\G:	Setup.Exe
File opened (read-only)	\??\J:	Setup.Exe
File opened (read-only)	\??\U:	Setup.Exe
File opened (read-only)	\??\W:	Setup.Exe
File opened (read-only)	\??\Y:	Setup.Exe
File opened (read-only)	\??\B:	Setup.Exe
File opened (read-only)	\??\N:	Setup.Exe
File opened (read-only)	\??\P:	Setup.Exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1048	Setup.Exe
Token: SeIncreaseQuotaPrivilege	1048	Setup.Exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeCreateTokenPrivilege	1048	Setup.Exe
Token: SeAssignPrimaryTokenPrivilege	1048	Setup.Exe
Token: SeLockMemoryPrivilege	1048	Setup.Exe
Token: SeIncreaseQuotaPrivilege	1048	Setup.Exe
Token: SeMachineAccountPrivilege	1048	Setup.Exe
Token: SeTcbPrivilege	1048	Setup.Exe
Token: SeSecurityPrivilege	1048	Setup.Exe
Token: SeTakeOwnershipPrivilege	1048	Setup.Exe
Token: SeLoadDriverPrivilege	1048	Setup.Exe
Token: SeSystemProfilePrivilege	1048	Setup.Exe
Token: SeSystemtimePrivilege	1048	Setup.Exe
Token: SeProfSingleProcessPrivilege	1048	Setup.Exe
Token: SeIncBasePriorityPrivilege	1048	Setup.Exe
Token: SeCreatePagefilePrivilege	1048	Setup.Exe
Token: SeCreatePermanentPrivilege	1048	Setup.Exe
Token: SeBackupPrivilege	1048	Setup.Exe
Token: SeRestorePrivilege	1048	Setup.Exe
Token: SeShutdownPrivilege	1048	Setup.Exe
Token: SeDebugPrivilege	1048	Setup.Exe
Token: SeAuditPrivilege	1048	Setup.Exe
Token: SeSystemEnvironmentPrivilege	1048	Setup.Exe
Token: SeChangeNotifyPrivilege	1048	Setup.Exe
Token: SeRemoteShutdownPrivilege	1048	Setup.Exe
Token: SeUndockPrivilege	1048	Setup.Exe
Token: SeSyncAgentPrivilege	1048	Setup.Exe
Token: SeEnableDelegationPrivilege	1048	Setup.Exe
Token: SeManageVolumePrivilege	1048	Setup.Exe
Token: SeImpersonatePrivilege	1048	Setup.Exe
Token: SeCreateGlobalPrivilege	1048	Setup.Exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1048	Setup.Exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20
PID 2916 wrote to memory of 1048	2916	ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe	20

C:\Users\Admin\AppData\Local\Temp\ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe
"C:\Users\Admin\AppData\Local\Temp\ad3d39bc31160d8078d263efd22d03e16642c9a5158fdcc201917f642edadbeb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe

Filesize
45KB

MD5
728352de48f591f7bfc5d360e1df120f

SHA1
9658545e35af386cbb112393ae628f4fe53bfaa0

SHA256
bc91fd4f5621815c2d467f2e7a107dc806a314ba3208199bc7ff4375b6ea83d3

SHA512
12c4a59430263b3c0fe6e702e7b094b58a0816994d7865220cf3c9fb195b827063e4b349ec26c613a8c82c887414f8fedc1e5393d392e13d858e0a374ab2af10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WMITools.msi

Filesize
50KB

MD5
e648372984a26af8e97ecc6f52cdd2ab

SHA1
541cc3a82ec98d773413e5d23720c9e6bf2ebf73

SHA256
2e503b4803016ec3d8a8985e0a1ca67ff740fc6b515fa8e8ebd7b32533bd64d9

SHA512
269c8b4874d8ef275a0dbb957006c106e88236a4dab4ecb68aa6bd29c5bd10eecab605016d740276f1a6fcac6e03af06439dcd28505934b5be58c36058e28665

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe

Filesize
17KB

MD5
a97d4371e3a79287ccda303bdb466f14

SHA1
5f056d3ec2bc4166140a4b5e568152bde56852df

SHA256
01950749c9f3f9578161c00df9a78d7a090f0d02a94e1b15527523f6a4004d94

SHA512
97b974915120b92ac32721c1e7f1c5dc84d578bd65d909caf27b1bac109930cf38324068c16409d457b08ab5984b5c4c5366baee4dab02d0d1e2da28a7d6a694

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe

Filesize
28KB

MD5
f5c06db4dfa36070d96875da4242eb8a

SHA1
33e310ed524afabbdc262a99491efa7156ddc5fd

SHA256
53e3532fcedd6dc4a492f5413314223312d44dc1dc772f056b56b0364e21351f

SHA512
9320b7b70f0ce5ca37cfd3d4b55a09a2464a1130345236125de44de7ac69b009f03d7513882c45fdfb9117b9f9560de45558762f6f2d2b64eb48578b5f989326

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.Exe

Filesize
56KB

MD5
f33dc5f5a4eb964773539afe63579633

SHA1
7c8f4fa1b9f9815e0f088edfc046705290649b96

SHA256
81e42b706218adcbcc00050aca5416fe2de70c994305c69200c956534b3981a5

SHA512
91e8cf2680818f8ba79754682563f808aea63aa614041eebf5b22d0716054cf336389a803d30f649dae0e2e350e13521d592cfc97c4ae62886602037bd2d20df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads