7bd347cc23ad53bee61e05d24bf364ce3bdd4a3ee285559caf3bd6fb903b4f09

General

Target

46b65177dc987f6c15bf187de54feafd.exe
Size

430KB
MD5

46b65177dc987f6c15bf187de54feafd
SHA1

9728150c77afbcc16891c5f46a1363980cc109f8
SHA256

7bd347cc23ad53bee61e05d24bf364ce3bdd4a3ee285559caf3bd6fb903b4f09
SHA512

f8b1c5f4f40053687ce4b627cb5103c3e1611eec435f0fc661d8ecb24d54291739d1b20d5ed13f049b601fae73fb1c9cac3a05ef71505ded6fc66a1a6e37210d
SSDEEP

6144:HtS8QOd4NhvkAF2idZecnl20lHRxp3gmo+JR9MocBToNsKDvN1YqmtHo:HNXy3kwF3Z4mxxbZRKowmNvN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5008	2.exe
4888	MM.exe

Loads dropped DLL 2 IoCs

pid	Process
4888	MM.exe
4888	MM.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	46b65177dc987f6c15bf187de54feafd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SysYH.bak	MM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4888	MM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 5008	2188	46b65177dc987f6c15bf187de54feafd.exe	96
PID 2188 wrote to memory of 5008	2188	46b65177dc987f6c15bf187de54feafd.exe	96
PID 2188 wrote to memory of 5008	2188	46b65177dc987f6c15bf187de54feafd.exe	96
PID 5008 wrote to memory of 4888	5008	2.exe	97
PID 5008 wrote to memory of 4888	5008	2.exe	97
PID 5008 wrote to memory of 4888	5008	2.exe	97

C:\Users\Admin\AppData\Local\Temp\46b65177dc987f6c15bf187de54feafd.exe
"C:\Users\Admin\AppData\Local\Temp\46b65177dc987f6c15bf187de54feafd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2.exe

Filesize
75KB

MD5
688103300bf9b826e70260513d75a3fb

SHA1
03c7a2f1a1184ec50aeb6a313fd310e2f8c30298

SHA256
c89836da7970eccf8e7ecd9835fbb6129ce1dd18322d9220eff73db962e78509

SHA512
ac2884076dbc453fc7e99d383a7c0b6a6ec279530b025d856e7ab9392ce72471384834808d578edf571c5b788a02b4b1736b4977372b7c4c80a88ec93001d4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MM.exe

Filesize
40KB

MD5
9a9eb426de5baae6b98fc87e9d0c252c

SHA1
0139e26e86a122bdf8fdb16c0e42250198897373

SHA256
f3b43ada70b0252f356e2bdce3c33d276c4b0314d77a4914a9f855f12873f19d

SHA512
1327edcba7731a0f700d4ca53d71a737ce6f9e27c2866ea63a5c718a111be51382c9f48686d254559397eaec267486b58774a809ad905ac11ecd9abc9c2ba2e5

Download Submit
C:\Windows\SysWOW64\SysYH.bak

Filesize
237KB

MD5
f1bdf22fed0b11172faa0d32afe4d74b

SHA1
5cc9ea61fb35ef2334256836e6e0f885499beedf

SHA256
e64633e5e0786fb561b36c1c82b302d92ab067b9abfcd1c99ccded3d2925b899

SHA512
465938f8a622232ebf9a491304b6cc8ebe56c1f451cb301f29b4534a6f445015112c74ffc65c7e8331e22da5ad318eb07453195be66cda5bf27f168df915e59f

Download Submit
memory/2188-4-0x00000000030C0000-0x00000000030C3000-memory.dmp

Filesize
12KB

Download
memory/2188-26-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2188-6-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2188-5-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2188-3-0x00000000005D0000-0x0000000000624000-memory.dmp

Filesize
336KB

Download
memory/2188-2-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2188-29-0x00000000005D0000-0x0000000000624000-memory.dmp

Filesize
336KB

Download
memory/2188-1-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/2188-0-0x0000000001000000-0x0000000001077000-memory.dmp

Filesize
476KB

Download
memory/4888-23-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/4888-28-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/4888-18-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4888-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4888-48-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/5008-27-0x0000000001000000-0x000000000101D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads