2120c3a76f104d7962085d38480bf27d2664d30d1b560b9fc6bcd7b3f46c9aec

General

Target

3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
Size

374KB
MD5

3dcb1fd38aa6652f0d1e89be4cb1fc8c
SHA1

ac968738b2b2ffd5547e24bab19da5406876825f
SHA256

2120c3a76f104d7962085d38480bf27d2664d30d1b560b9fc6bcd7b3f46c9aec
SHA512

893057b3a3505bf75ed3735d37933d35812af44190a3dd0064c62d9d091c0a1f4d4bf336086577161658631a1b23982080857487abef2c09f9cd9c3f2ed86d9b
SSDEEP

6144:XLPA/STp6gTF2idZecnl20lHRxp3gslk9ihl0/srEQpPK+e1FtEuxF+U2/kW:X99lRF3Z4mxx/oEtlK+kt9T2MW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	PPKart.exe

Loads dropped DLL 3 IoCs

pid	Process
1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
2808	PPKart.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmPP2.dll	PPKart.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	PPKart.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2808	1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	14
PID 1948 wrote to memory of 2808	1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	14
PID 1948 wrote to memory of 2808	1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	14
PID 1948 wrote to memory of 2808	1948	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	14

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Users\Admin\AppData\Local\Temp\3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
"C:\Users\Admin\AppData\Local\Temp\3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Common Files\Microsoft Shared\MSInfo\atmPP2.dll

Filesize
1KB

MD5
3d0c08052e53ef27c710a3b196504547

SHA1
f96351674f4d647bf49701fb502282e59877b805

SHA256
cb7fcd049c044f49f98e9e29d7ee5bb277514079f77d2d661fda23fabfce4d56

SHA512
063ae761acb0fd8741439d06a62a7bad32a04e58099b55fabbfc1c9de5e8254f846023e21928a8847097c680a37ce0c593136030b44bc76c2c372c41bc27f77e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe

Filesize
14KB

MD5
f1979ddd2fb35b8a2612506b14f5122f

SHA1
33faece827f2ccf49dab4309c91fec0b50d9dc02

SHA256
24f59dd80b913a9b83c99cb4578c7935037b8c3f4c036abd6f876691630c10a3

SHA512
85590a01934db1f334cdc0d4707bf2e6c7e1b805f1de74a8513407b7bd23e334186dc5ba487bd4792b1ac50645421e0a965c0a9657b05b0768ff15bba047434e

Download Submit
memory/1948-16-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1948-14-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1948-38-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1948-44-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/1948-41-0x00000000030D0000-0x00000000030E8000-memory.dmp

Filesize
96KB

Download
memory/1948-33-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1948-32-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1948-31-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1948-30-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1948-24-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1948-43-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/1948-20-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1948-19-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1948-18-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1948-17-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1948-21-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/1948-13-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1948-15-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1948-12-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1948-11-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1948-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1948-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1948-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1948-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1948-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1948-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1948-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2808-39-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2808-42-0x0000000000220000-0x0000000000237000-memory.dmp

Filesize
92KB

Download
memory/2808-40-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2808-46-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads