87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3

General

Target

2f3c9be60064deb5a63a27f1c4e50cc0.exe
Size

6.2MB
MD5

2f3c9be60064deb5a63a27f1c4e50cc0
SHA1

32e3dd4cfc7dc41072c9eee17c6bf2e1553802a4
SHA256

87545d25bd7ba1490287b40c178d3b75765457565caa7d27a801d8a2e21d5fd3
SHA512

6ccb95bdd98c765656e112fee20c88e7eeb745d82361c1ae5e1fa56a17e556e1be198058a3b99e5d43cd330f96fa3b5ac6da53d7b62f25dcfea26f4503dff61a
SSDEEP

98304:lF8zNNrIkyFXuqSqYJebYimqjeL5UnG/xDrMBjrM9DVncLlw5gTeV0kJ7Hi:lF8IwvJeb5mHFt5m8a2EvM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

Xj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe1dP82wv5.exe

pid process

2364 Xj6Hl21.exe
2044 SP4Rr42.exe
2204 Qf8gp08.exe
2760 Vr8oH09.exe
2116 1dP82wv5.exe

pid	process
2364	Xj6Hl21.exe
2044	SP4Rr42.exe
2204	Qf8gp08.exe
2760	Vr8oH09.exe
2116	1dP82wv5.exe

Loads dropped DLL 10 IoCs

Processes:

2f3c9be60064deb5a63a27f1c4e50cc0.exeXj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe1dP82wv5.exe

pid	process
2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe
2364	Xj6Hl21.exe
2364	Xj6Hl21.exe
2044	SP4Rr42.exe
2044	SP4Rr42.exe
2204	Qf8gp08.exe
2204	Qf8gp08.exe
2760	Vr8oH09.exe
2760	Vr8oH09.exe
2116	1dP82wv5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f3c9be60064deb5a63a27f1c4e50cc0.exeXj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f3c9be60064deb5a63a27f1c4e50cc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xj6Hl21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SP4Rr42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qf8gp08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Vr8oH09.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2408 2596 WerFault.exe 2pX3090.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1032 schtasks.exe
1124 schtasks.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

1dP82wv5.exe

pid process

2116 1dP82wv5.exe
2116 1dP82wv5.exe
2116 1dP82wv5.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

1dP82wv5.exe

pid process

2116 1dP82wv5.exe
2116 1dP82wv5.exe
2116 1dP82wv5.exe

flow	ioc
74	ipinfo.io

pid	pid_target	process	target process
2408	2596	WerFault.exe	2pX3090.exe

pid	process
1032	schtasks.exe
1124	schtasks.exe

pid	process
2116	1dP82wv5.exe
2116	1dP82wv5.exe
2116	1dP82wv5.exe

pid	process
2116	1dP82wv5.exe
2116	1dP82wv5.exe
2116	1dP82wv5.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

2f3c9be60064deb5a63a27f1c4e50cc0.exeXj6Hl21.exeSP4Rr42.exeQf8gp08.exeVr8oH09.exe1dP82wv5.exe

description	pid	process	target process
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2924 wrote to memory of 2364	2924	2f3c9be60064deb5a63a27f1c4e50cc0.exe	Xj6Hl21.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2364 wrote to memory of 2044	2364	Xj6Hl21.exe	SP4Rr42.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2044 wrote to memory of 2204	2044	SP4Rr42.exe	Qf8gp08.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2204 wrote to memory of 2760	2204	Qf8gp08.exe	Vr8oH09.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2760 wrote to memory of 2116	2760	Vr8oH09.exe	1dP82wv5.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 1688	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2700	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe
PID 2116 wrote to memory of 2516	2116	1dP82wv5.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\2f3c9be60064deb5a63a27f1c4e50cc0.exe
"C:\Users\Admin\AppData\Local\Temp\2f3c9be60064deb5a63a27f1c4e50cc0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
1⤵
PID:2696

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
1⤵
PID:1748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
1⤵
PID:2836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
1⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pX3090.exe
1⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
2⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
2⤵
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2472
2⤵
- Program crash
PID:2408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
1⤵
PID:2516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
1⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
1⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dP82wv5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1124

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Vr8oH09.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qf8gp08.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
Filesize
381KB

MD5
1c518ad4731583ce21c004e46e6d9299

SHA1
bf736f9efa63d45c7613c90f4c72b090e8b18de7

SHA256
c9f361a29d2580cc2a988223e0d58a4f554abed608ec5958b97f4f0ee6c43421

SHA512
e633a7b7cf8f7b7ef7e1f917496dd8a471a5cd4606328637ebf3f9569c9ae80e10fd5cbf1ffb5361c86532c8fd1b44f18bc37089b72ef89eddb77921d1997727

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
Filesize
1.9MB

MD5
2129b5922f17b9354915920c39bb09e7

SHA1
f94be393ad5fecbdd8308d8c8894365dd539b03c

SHA256
676e335001f21a3048352dbcbf1f0df2438881fd01a6881b48e25ad0bf31a5bd

SHA512
d1d315f003f5caeaa06577ebc9a6c5ae9e521de7da0232c665cc905a1d512075a71ea627805bf245873b447f2dedfc008661baf4b3bd285ce6cb03eff9949109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe
Filesize
381KB

MD5
4c6bfa7dd09ccb709c74572d5fc0ff03

SHA1
65e7e09547df528514d828641271567cf3287def

SHA256
ac35f96293e8c716acf2c3d63e2b9eab4225e6df3bd8ce10443fdbace4b0b42d

SHA512
cc575e1d2e016ea009398c21efcdd0c8c23e796e3d80ada8af9f5506d04ef42675136e57b48f78831b7930ad2ed07448232167e93517472f827e1a5a70237e77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
Filesize
3.2MB

MD5
4a89f8444e189517507a20a1d41d1a84

SHA1
9463c1e0e3a0cf0eff2e8be7bcd37c8593ddfc55

SHA256
447e28658b8897ea901bf3559a2422d4502fe6382adab8050fea7af83c55c6a9

SHA512
f0e18614563f44555f13dab1691263570f09be75ede3f1d08cfa3a08a7b43bc81a2bc25a10cf9d6e4fbf392f9c41d6bf5ba7f47b0ec1d21ebaf4848cb39de909

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xj6Hl21.exe
Filesize
1.1MB

MD5
7b272cb043490690146cb4b5f381f03a

SHA1
2e99310d6efe1e0135b0873020e3e27dc51437c8

SHA256
9f8cb6f20eac27262757f310783e622d631987f273c662f78a30792195feae28

SHA512
83ce5e9d5af25453eef69a1e75b4ac7abbb52134e2eb71cd454dcd77ddb878d6ee65256a0ed19bfd43f4542e9471f79cfb8775492c3ed75fd3a4f8d37d59d52a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\SP4Rr42.exe
Filesize
893KB

MD5
12383f10fba112f4ad858820ccdfba0a

SHA1
6104377b0ca7fdeab38bb8a8215807f04b2b59e6

SHA256
3eecb71d2530a04e8254d7bbe974fe986a47e70f8b42f4e670c53c77274269c4

SHA512
3458bf2ff82283cdbb4a9aa08b8eb0a47f2eaa2aa6ae638c6b1663e2e46d9f22d473e3b1a6745380c5977c76e9dff2c3afd83233093ec44234d3ac9e97e3e9fb

Download Submit
memory/2276-69-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/2276-68-0x000000006DBE0000-0x000000006E18B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-70-0x000000006DBE0000-0x000000006E18B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-78-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2596-65-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download
memory/2596-62-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download
memory/2596-61-0x00000000013A0000-0x00000000017FE000-memory.dmp

Filesize
4.4MB

Download
memory/2596-401-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download
memory/2596-526-0x00000000013A0000-0x00000000017FE000-memory.dmp

Filesize
4.4MB

Download
memory/2596-582-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download
memory/2596-604-0x00000000003E0000-0x000000000083E000-memory.dmp

Filesize
4.4MB

Download
memory/2760-59-0x00000000028A0000-0x0000000002CFE000-memory.dmp

Filesize
4.4MB

Download
memory/2760-60-0x00000000028A0000-0x0000000002CFE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads