7ba2f0f53f2fec23eccd1cf548aeaed93b709bfab766b83d2ae137f7dac2edf0

General

Target

23e0f45312519385d307ff6785489451.exe
Size

638KB
MD5

23e0f45312519385d307ff6785489451
SHA1

4696e34f3cb21f12c2bf740da3ae6975ae5aca80
SHA256

7ba2f0f53f2fec23eccd1cf548aeaed93b709bfab766b83d2ae137f7dac2edf0
SHA512

eb6222b92b6ec9921cbf647a1eb7e6db0ff21dc4838c5a584853899658271a1be302608594df8f277756deca5302461796372436122d1bc256bbf484bfcbd7c1
SSDEEP

12288:Zog8ndTmdCr1nlScCy2SdYuZ18gTul1c2obY79YInp0CVQw:Ends21nscCNGR5kocZZiw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2720	3.exe
2876	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	23e0f45312519385d307ff6785489451.exe
2480	23e0f45312519385d307ff6785489451.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	23e0f45312519385d307ff6785489451.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	3.exe
File opened for modification	C:\Windows\svchost.exe	3.exe
File created	C:\Windows\uninstal.bat	3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	3.exe
Token: SeDebugPrivilege	2876	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2720	2480	23e0f45312519385d307ff6785489451.exe	20
PID 2480 wrote to memory of 2720	2480	23e0f45312519385d307ff6785489451.exe	20
PID 2480 wrote to memory of 2720	2480	23e0f45312519385d307ff6785489451.exe	20
PID 2480 wrote to memory of 2720	2480	23e0f45312519385d307ff6785489451.exe	20
PID 2876 wrote to memory of 2076	2876	svchost.exe	29
PID 2876 wrote to memory of 2076	2876	svchost.exe	29
PID 2876 wrote to memory of 2076	2876	svchost.exe	29
PID 2876 wrote to memory of 2076	2876	svchost.exe	29
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31
PID 2720 wrote to memory of 2088	2720	3.exe	31

C:\Users\Admin\AppData\Local\Temp\23e0f45312519385d307ff6785489451.exe
"C:\Users\Admin\AppData\Local\Temp\23e0f45312519385d307ff6785489451.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2088

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:2076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
68KB

MD5
65709d45a9ebf95e508c6322457c6efd

SHA1
7b020ed4ac71897195843cd22bf316be41b1b6d6

SHA256
05a56e5bc3e44619bf16208281f25ba9fe033a33897bc5b96e1b502f2f471229

SHA512
6006f223f30d201530f6f147456dd846b55ea156b2a24a35ea6b84dad2313a4a8544c335a5c91bd1b7194de8b4b3991f5a99d0b221e7d2a3bd82281655788a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
42KB

MD5
10a023f929e95e6fc7ad054ea7317a95

SHA1
dead1c2e99f6d8f9aabff4dc8d014104c350655c

SHA256
61f6acb7ad2739ed3c275b160373a020bb090e2e30e14d2816abd5333423adac

SHA512
70ac0d769eb8e0bf9655f16e03efb9c9635fbd8e81c58a98a556ba845654e6028fe224c2748a0d130c2246995c6ca195b9b348c9a726055b62638beb53e02b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
230KB

MD5
563563a8714b0a410659d84ab8e246d8

SHA1
412b0cf5f2714a2682c17e8872db937aa9e0d068

SHA256
54fe8a8d84f9aa2a5375bcaa254ebc1ce2888ff515c75732228c49afac83e620

SHA512
666ea2eafde0a75d3a512c63b45b347ce513d752ce2922dd82e1f3f286f3535f6a7ac7bc5eff31bcda3ed2065d556624cef2d98d21e18f868e7814a5990f4e66

Download Submit
C:\Windows\svchost.exe

Filesize
183KB

MD5
d6181da04af93bcbdbc9d3bbfa73f15b

SHA1
059e6ec2ac8f9b531d639b3bb6882c0cbce72a1a

SHA256
e66b01b23a1cd36f6e9fb91e40eba153f58f1ee2ba2c9615f877888fdf4a60bc

SHA512
7b01d9e264218de0b004ba4c4eed723522b9cebee497cba3af8b84546ac3239c03714b54e0ba4a4a4f85826f973a21079e261beae4db2ebd6c7a1cde337b9e7c

Download Submit
C:\Windows\svchost.exe

Filesize
313KB

MD5
a8c653795284ccaf362c5928aa12f204

SHA1
752094381e053d550e5abe266d8b4e6a1e858f53

SHA256
67d9e7ea102026d8b4fd3f3aba08a153604ab3408a8c534064e7f4ba0b5d52bb

SHA512
878ba2dcddc7a61a882616614701b8c01c9269cb6481629dfcc4a58afb224abf804462a88dbd3db484d0001db9d980c9c8a9811e0f260ceb4090a074955a7759

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
67e4ea2c3e65d3236c8266b9c116f67f

SHA1
7e87f925ccd68b2b7c9af9f92e118db1990234f9

SHA256
2dff6c390d03870cec06d16fe0191475fb87ad2330b78d03c15e7ff0bed8f00c

SHA512
1a3cf0443e932b9b57f32531b3d61c917b9eec19a4ba73336011041e16a0022c5e62b2c768b34a0bdc08ffd75bbaa0338719577001496c9de8a5638420b0a229

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
59KB

MD5
0177723fe5002c090425eb44b2d5d354

SHA1
f1b76c651a26623f42366535c8ae771a709c2b01

SHA256
ef2eb4ddcee2160526efac9f6387c66a140de0609eb23d4958128ee6befe03e9

SHA512
8ed46e31a4d89509b9257c5b353a242088cbbd1a73ea6370c9072bb3d3d9c54c27a6fb9f620b49ae1a1612b7cae5222c97fba2e85cfd1174fcff91ab045ee2db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
51KB

MD5
d3fe84dd260fab2f3324313e30597714

SHA1
5b33cfc81adadd5948386d2d49f9788432d271c7

SHA256
91e7a71b68a6bf401d0c0798f811430bf721e723603f9501f37337d8e990fb99

SHA512
2767bf0795edf0cae9ed816f7b909692d3ca98d70470e174982f51b351287965eaa81a9d692d87cffa13a98e553d581b4717535aeba21596d0d8dbd592f8da11

Download Submit
memory/2480-4-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2480-14-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2480-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2480-20-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/2480-1-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2480-2-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2480-38-0x0000000001000000-0x0000000001105000-memory.dmp

Filesize
1.0MB

Download
memory/2480-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x0000000001000000-0x0000000001105000-memory.dmp

Filesize
1.0MB

Download
memory/2480-7-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2480-39-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2480-9-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2720-21-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2720-37-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2720-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2876-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2876-27-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2876-41-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2876-42-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2876-43-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2876-47-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads