69cb80484319fb408716849d35e48ec3fb246a2a52645d3c49e3297759c14ea7

General

Target

c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe
Size

11.7MB
MD5

855fea526f0bb5ef1f043a3e63d70b8f
SHA1

f62b22214d1cdcd97c9284ef8aaba203707aa976
SHA256

c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741
SHA512

9806af6623eda6df15afa8b616240075c6400e46c44d681a97b0aacbc1a852179166003d6fcf39bc0fdda2ff140eabb11f94839db518ade008b61a41ef6d07e6
SSDEEP

196608:EAPGOkvo7CA8wikC4DddU1KTsUQEZ4O/6rJpqjUEBzrWdFwE0QbmO:EAEvoOA8xIddU0TsXESO/6rJKUmMFRxf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	SETUP.EXE

Loads dropped DLL 6 IoCs

pid	Process
2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe
2704	SETUP.EXE
2704	SETUP.EXE
2704	SETUP.EXE
2704	SETUP.EXE
2704	SETUP.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	2640	OSE.EXE
Token: SeRestorePrivilege	2640	OSE.EXE
Token: SeBackupPrivilege	2640	OSE.EXE
Token: SeRestorePrivilege	2640	OSE.EXE
Token: SeBackupPrivilege	2640	OSE.EXE
Token: SeRestorePrivilege	2640	OSE.EXE
Token: SeBackupPrivilege	2640	OSE.EXE
Token: SeRestorePrivilege	2640	OSE.EXE
Token: SeShutdownPrivilege	1900	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1900	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2184 wrote to memory of 2704	2184	c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe	20
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31
PID 2704 wrote to memory of 1900	2704	SETUP.EXE	31

C:\Users\Admin\AppData\Local\Temp\c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe
"C:\Users\Admin\AppData\Local\Temp\c137c4a4c113ab23bf610a2ad4d2f5cc738948602638ccb7313b1bf331fff741.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE /iexpress CDCACHE=2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /I "C:\MSOCache\All Users\90850409-6000-11D3-8CFE-0150048383C9\WORDVIEW.MSI" CDCACHE=2 LAUNCHEDFROMSETUP=1 SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ SETUPEXENAME=SETUP.EXE /lpiwaeo "C:\Users\Admin\AppData\Local\Temp\Microsoft Office Word Viewer 2003 Setup(0001)_Task(0001).txt" STANDALONEOSE="C:\MSOCache\All Users\90850409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE" CDCACHE="2" DELETABLECACHE="1" LOCALCACHEDRIVE="C" DWSETUPLOGFILE="C:\Users\Admin\AppData\Local\Temp\Microsoft Office Word Viewer 2003 Setup(0001).txt" DWMSILOGFILE="C:\Users\Admin\AppData\Local\Temp\Microsoft Office Word Viewer 2003 Setup(0001)_Task(0001).txt"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1900

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7E151DCD99618DCAD575E344DA02EC0 C
  2⤵
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
92KB

MD5
dbb1fa124a65b85bb3366f34f388dbbf

SHA1
07848b9ba9ec45bb2a00d98007b45bb787f0b77e

SHA256
3a265117fd73cfaaaaf423e3a78ec65fbca3bebe3541b6c42b60d3c314fab6a2

SHA512
da714de40fb7cda823a16e5012b2ca0b70db98b98cf1ca79b795838d1ed42bfd6d17f680e44b8da07eafd29ebef7742b6c6529cda03a0a67a6b27ad63aef137f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
381KB

MD5
15a89f4f7ccb7eb03c2e9ebb596442db

SHA1
d5d6aeb19c92cbf31e1e418099bef50fab52fcb3

SHA256
e6252edfe45689d4f767608eeea7ad17aae5ef7c5c08e557dba63e23cc4f7a99

SHA512
a7792e726859735e2e811ae4667b87431ccfe8db6e3dc6826802f4dc8959ff395f82d65611f32b57d741a4d4bad3979a15ee090135315de7c74bc0baa4d3b2db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads