6f968602f98f3ba702beb27c117e7ea2824517006d01234d8b216055e1f29273

General

Target

124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe
Size

2.5MB
MD5

e4a94d95c0af5a7082f90904e577ab04
SHA1

b2c6961b3f7e3c5fe0fe86743a3360633ab2c200
SHA256

124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27
SHA512

3158b5f2e80e2bf1312e88cf43e1754068f0a28f620cbf09e1945e820796aadc39bf0dca04ea7d150aa167aa1bd08945980d6cc5602ac6593e9fd08ec6b9c44d
SSDEEP

49152:hAcs6KxDps2x208AjgcbniYA5Ml2CgUBe+82POGAPmtnDguqFfzBk:OdtstrAjgcbiYx2rAZWJ4Uuq9+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

oI7UZ69.exeNP7ET53.exe2KA3418.exe

pid process

1312 oI7UZ69.exe
1068 NP7ET53.exe
852 2KA3418.exe

pid	process
1312	oI7UZ69.exe
1068	NP7ET53.exe
852	2KA3418.exe

Loads dropped DLL 6 IoCs

Processes:

124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exeoI7UZ69.exeNP7ET53.exe2KA3418.exe

pid	process
1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe
1312	oI7UZ69.exe
1312	oI7UZ69.exe
1068	NP7ET53.exe
1068	NP7ET53.exe
852	2KA3418.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exeoI7UZ69.exeNP7ET53.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oI7UZ69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NP7ET53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2120 schtasks.exe
784 schtasks.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2KA3418.exe

pid process

852 2KA3418.exe
852 2KA3418.exe
852 2KA3418.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2KA3418.exe

pid process

852 2KA3418.exe
852 2KA3418.exe
852 2KA3418.exe

pid	process
2120	schtasks.exe
784	schtasks.exe

pid	process
852	2KA3418.exe
852	2KA3418.exe
852	2KA3418.exe

pid	process
852	2KA3418.exe
852	2KA3418.exe
852	2KA3418.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exeoI7UZ69.exeNP7ET53.exe2KA3418.exe

description	pid	process	target process
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1420 wrote to memory of 1312	1420	124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe	oI7UZ69.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1312 wrote to memory of 1068	1312	oI7UZ69.exe	NP7ET53.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 1068 wrote to memory of 852	1068	NP7ET53.exe	2KA3418.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2672	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2716	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe
PID 852 wrote to memory of 2612	852	2KA3418.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe
"C:\Users\Admin\AppData\Local\Temp\124d756a655a6c4338f61ec8f43551dce23078e04d51ca4c03ca34f5df66af27.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
1⤵
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
2⤵
PID:2536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
1⤵
PID:2776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
1⤵
PID:2508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5al0xM9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5al0xM9.exe
1⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
2⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
2⤵
PID:2948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
1⤵
PID:2716

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
1⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2KA3418.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2KA3418.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NP7ET53.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NP7ET53.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
Filesize
1.1MB

MD5
d498ef113a832bdc32701cf6aa7071ff

SHA1
a33ceae715fa7d9017b956ee8aeb1c99096624c3

SHA256
b587b4d578d331bdd1cb9cfa35b02238926a23e8c7238d61014fd8f771a9ef2c

SHA512
c231fff84ea1fc7bfbfaea747a3826f616fac9d5245d1ad35210f5e5020766e2b299c7abdcd53ce9d23165d42b99b57265c5c4e28f4a0e11faf0f5ae8c3b6497

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
Filesize
894KB

MD5
e192f1e334193699078d05b9482f13bf

SHA1
e9d19e7176b8b8e3d6933cbf73bdfd1747412c04

SHA256
1a916cc0fadab7e157cc57b6458ece453c3f36dc6dac423c35d403ba8aea7c99

SHA512
786da2442b55273532bb68155a6204869d14fcaba0483a5663112967efd69fa2f283ea767078d5f8ffaf83dc8eb97b74b7df357ad1bcd418bd715f6f89f10484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NP7ET53.exe
Filesize
92KB

MD5
ab21006750b4e3c24fe4a078003b384c

SHA1
784b7d5955388fe7486d7637b22393033a75d34f

SHA256
bcc2d9891daa7d64ff0f99943f806a790bbe03a0b7183bc2aa048186e529dc64

SHA512
8745190484e0187237bf0f78f65aa25c779e91cf6e691b9c9d78d9671995746c1b9e0e857395724d820237af95611e623281414da537acf387d37e3a6512077d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NP7ET53.exe
Filesize
92KB

MD5
273cca3bd0f631b969e40e41917f1640

SHA1
cc80a880aeeac200c53bc7714a752f75eaa421e3

SHA256
9538995d4759a321fd85cb0f783883e2ddcff16f4ad6e8303c35f2981b2269c1

SHA512
016b028554224a884febb03a93a5e5bedec292ac23a41da088e2db0d0e1e05fe10b1ddbf681aab301b9171f3c2020186d77e38c60f8839833a76151c40f35e24

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
Filesize
92KB

MD5
90ddd898ef8c7cbe19925d848f083f8e

SHA1
ba704fa7d957ceb66d4b4fe1c9f439dcde6e1cf3

SHA256
3baf5f35ce99cd0644c4a20c6806441ae85d89561d8d7b78bad1ab281fb5c663

SHA512
13eb48e3ec84f535e308d5009b96863f7dc835a923dfec1c87f652548026def225e6265a052dc7fc861446b1576063b5c7ec24762c4d9f561f709de49d454092

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\oI7UZ69.exe
Filesize
382KB

MD5
e921b9e6ce4fcc5401cdcb7db50c6b90

SHA1
54f24b25bd36cb881fa387f31ca709e7f75bd84f

SHA256
e8d6ec2ec6e5f756c143fb1e510e07454793bc714fe6454a87fae4f281537f21

SHA512
1de7b55b9b28671c2debbb7e7bbe091c526afadc1d5120f02c945380e9e0bb64bc14ddc808c64304113be713027b5ec3e912428c4a1dc9d2b55b461dbfea8911

Download Submit
memory/1068-36-0x0000000002900000-0x0000000002D5E000-memory.dmp

Filesize
4.4MB

Download
memory/1584-53-0x000000006D930000-0x000000006DEDB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-64-0x0000000002BE0000-0x0000000002C20000-memory.dmp

Filesize
256KB

Download
memory/1584-186-0x000000006D930000-0x000000006DEDB000-memory.dmp

Filesize
5.7MB

Download
memory/2572-542-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1075-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-40-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-37-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-38-0x00000000013F0000-0x000000000184E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-922-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-921-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1061-0x00000000013F0000-0x000000000184E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1071-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1073-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2572-1074-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-243-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2572-1077-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1414-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1415-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1528-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1529-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1530-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1531-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1532-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download
memory/2572-1534-0x0000000000DB0000-0x000000000120E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads