c6e7a63f83daf2241b8135d5d1042132a5e1d683064ae8a68560b604dda67fd9

General

Target

39193bddc2bf9f274d8bf6ab729c1bc4.exe
Size

97KB
MD5

39193bddc2bf9f274d8bf6ab729c1bc4
SHA1

63640abc53bce353f9a330debb087ae440cb03b7
SHA256

c6e7a63f83daf2241b8135d5d1042132a5e1d683064ae8a68560b604dda67fd9
SHA512

84058553f8423e64adc313b156bbbc0c039136234cf4308cf7fad9d4018401b3ffdceead26dfce3fad83804b96a89b40544a32239a44dbfc0a273dfa6d25aa55
SSDEEP

3072:Gnj9jtfU+INndIc0JcO5puaBPEacXrS0C:Gjbei8DaFErrO

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

HIDDEN~1.EXEHIDDEN~1.EXEfxsteller.exefxsteller.exe

pid process

1160 HIDDEN~1.EXE
2716 HIDDEN~1.EXE
2400 fxsteller.exe
2928 fxsteller.exe
Loads dropped DLL 5 IoCs

Processes:

39193bddc2bf9f274d8bf6ab729c1bc4.exeHIDDEN~1.EXEHIDDEN~1.EXE

pid process

1740 39193bddc2bf9f274d8bf6ab729c1bc4.exe
1740 39193bddc2bf9f274d8bf6ab729c1bc4.exe
1160 HIDDEN~1.EXE
1160 HIDDEN~1.EXE
2716 HIDDEN~1.EXE

pid	process
1160	HIDDEN~1.EXE
2716	HIDDEN~1.EXE
2400	fxsteller.exe
2928	fxsteller.exe

pid	process
1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe
1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe
1160	HIDDEN~1.EXE
1160	HIDDEN~1.EXE
2716	HIDDEN~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39193bddc2bf9f274d8bf6ab729c1bc4.exeHIDDEN~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39193bddc2bf9f274d8bf6ab729c1bc4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "fxsteller.exe"	HIDDEN~1.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

HIDDEN~1.EXEfxsteller.exe

description	pid	process	target process
PID 1160 set thread context of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 2400 set thread context of 2928	2400	fxsteller.exe	fxsteller.exe

Drops file in Windows directory 2 IoCs

Processes:

HIDDEN~1.EXE

description ioc process

File opened for modification C:\Windows\fxsteller.exe HIDDEN~1.EXE
File created C:\Windows\fxsteller.exe HIDDEN~1.EXE

description	ioc	process
File opened for modification	C:\Windows\fxsteller.exe	HIDDEN~1.EXE
File created	C:\Windows\fxsteller.exe	HIDDEN~1.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

39193bddc2bf9f274d8bf6ab729c1bc4.exeHIDDEN~1.EXEHIDDEN~1.EXEfxsteller.exe

description	pid	process	target process
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1740 wrote to memory of 1160	1740	39193bddc2bf9f274d8bf6ab729c1bc4.exe	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 1160 wrote to memory of 2716	1160	HIDDEN~1.EXE	HIDDEN~1.EXE
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2716 wrote to memory of 2400	2716	HIDDEN~1.EXE	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe
PID 2400 wrote to memory of 2928	2400	fxsteller.exe	fxsteller.exe

C:\Users\Admin\AppData\Local\Temp\39193bddc2bf9f274d8bf6ab729c1bc4.exe
"C:\Users\Admin\AppData\Local\Temp\39193bddc2bf9f274d8bf6ab729c1bc4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDDEN~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDDEN~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDDEN~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDDEN~1.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\fxsteller.exe
"C:\Windows\fxsteller.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\fxsteller.exe
C:\Windows\fxsteller.exe
5⤵
- Executes dropped EXE
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HIDDEN~1.EXE
Filesize
38KB

MD5
162a6f3ee6c8233d19b02a2ac5ab1f44

SHA1
34679c833e7c23231ea885832e4cf3c6c28e3f65

SHA256
7df30f03716d5a95a62ce173ab982afa2776c44c4781980e978b1cccd22640f7

SHA512
a23c51a193954e01931f137ed4e2450d99ab4242f13a9cdc0b056b7558e09578cbdae70f71cdef765f43d0ab511d56ffd100580053713515e3e9406ddcf01637

Download Submit
memory/2716-46-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-25-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2716-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-48-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-53-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-51-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-52-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-44-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2928-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads