2120c3a76f104d7962085d38480bf27d2664d30d1b560b9fc6bcd7b3f46c9aec

General

Target

3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
Size

374KB
MD5

3dcb1fd38aa6652f0d1e89be4cb1fc8c
SHA1

ac968738b2b2ffd5547e24bab19da5406876825f
SHA256

2120c3a76f104d7962085d38480bf27d2664d30d1b560b9fc6bcd7b3f46c9aec
SHA512

893057b3a3505bf75ed3735d37933d35812af44190a3dd0064c62d9d091c0a1f4d4bf336086577161658631a1b23982080857487abef2c09f9cd9c3f2ed86d9b
SSDEEP

6144:XLPA/STp6gTF2idZecnl20lHRxp3gslk9ihl0/srEQpPK+e1FtEuxF+U2/kW:X99lRF3Z4mxx/oEtlK+kt9T2MW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	PPKart.exe

Loads dropped DLL 2 IoCs

pid	Process
2792	PPKart.exe
2792	PPKart.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmPP2.dll	PPKart.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	PPKart.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2792	3392	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	18
PID 3392 wrote to memory of 2792	3392	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	18
PID 3392 wrote to memory of 2792	3392	3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe	18

C:\Users\Admin\AppData\Local\Temp\3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe
"C:\Users\Admin\AppData\Local\Temp\3dcb1fd38aa6652f0d1e89be4cb1fc8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\atmPP2.dll

Filesize
11KB

MD5
b765ba15515ada7d259bc8b604a3f6bd

SHA1
92ede9f1372596d770da5b4bd616cf9cfe0f0d73

SHA256
7752ef4948e52cd9fed91291f1fa36a6407b3660f2a358930b18ff86f756c844

SHA512
bd6cb298e52b40ffab512531bd4e9e25c7ca11308027b5b66bcdda3a0bf90ea9fa7d517dadfc7f1219d2c00228943f68c4a1ab614e96788239194dd80981376e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PPKart.exe

Filesize
25KB

MD5
c8a0627642b5f836cacb13c29784a9fd

SHA1
d9dda3645c34977a988d8158239b18f46547bc8a

SHA256
55fe2435cc454a00f2d029b1a1be0694b1933ebeb1f4d6f84747a98a1a352cdc

SHA512
e033bc7d9477d2bb11434f6d1c060ae6f6d8adc5971834e41c645840bbc15a793939b7c646386b3806cea17e93f97a18ac7182e24ac27b478b94febeed954b00

Download Submit
memory/2792-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2792-43-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/2792-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2792-37-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/2792-38-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/2792-31-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3392-15-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3392-11-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/3392-21-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3392-20-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3392-19-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3392-18-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3392-17-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3392-16-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3392-1-0x0000000000680000-0x00000000006D4000-memory.dmp

Filesize
336KB

Download
memory/3392-14-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/3392-13-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3392-12-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3392-10-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3392-22-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3392-9-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3392-8-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3392-7-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3392-6-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3392-5-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3392-4-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/3392-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3392-0-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/3392-39-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/3392-40-0x0000000000680000-0x00000000006D4000-memory.dmp

Filesize
336KB

Download
memory/3392-23-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3392-2-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads