487549d4619a5a04404ba5273f4b0ec13b90a19090427f846f1aed5bde9d7e6b

General

Target

97de628a72427af250f498018de121d0.exe
Size

661KB
MD5

97de628a72427af250f498018de121d0
SHA1

f3b22fe27ccc1546f01f1539366987832faee448
SHA256

487549d4619a5a04404ba5273f4b0ec13b90a19090427f846f1aed5bde9d7e6b
SHA512

4d4505c286bfae1b6df6fa389102d1bc4aa19306c22abf254fa486e1384142a15c25e1e7cb7395c6ec458e9af12268a93966dfbec50b3d73d1d3202cadfc64ec
SSDEEP

12288:7HdIsna+XMg8lehPFZ+FOUl0tF3Z4mxxGlqEahKJXDTiwuU:7Csa+IEJFUUQmXGEyFqU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2548	4.exe
2680	help.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	97de628a72427af250f498018de121d0.exe
2980	97de628a72427af250f498018de121d0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97de628a72427af250f498018de121d0.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\help.exe	4.exe
File opened for modification	C:\Windows\help.exe	4.exe
File created	C:\Windows\UNINSTAL.BAT	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	4.exe
Token: SeDebugPrivilege	2680	help.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	help.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2548	2980	97de628a72427af250f498018de121d0.exe	28
PID 2980 wrote to memory of 2548	2980	97de628a72427af250f498018de121d0.exe	28
PID 2980 wrote to memory of 2548	2980	97de628a72427af250f498018de121d0.exe	28
PID 2980 wrote to memory of 2548	2980	97de628a72427af250f498018de121d0.exe	28
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2548 wrote to memory of 2696	2548	4.exe	31
PID 2680 wrote to memory of 1688	2680	help.exe	30
PID 2680 wrote to memory of 1688	2680	help.exe	30
PID 2680 wrote to memory of 1688	2680	help.exe	30
PID 2680 wrote to memory of 1688	2680	help.exe	30

C:\Users\Admin\AppData\Local\Temp\97de628a72427af250f498018de121d0.exe
"C:\Users\Admin\AppData\Local\Temp\97de628a72427af250f498018de121d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\UNINSTAL.BAT
    3⤵
    PID:2696

C:\Windows\help.exe
C:\Windows\help.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
146B

MD5
a5c7733dd794a6eabcae71277f272a5a

SHA1
fb5cb63364b70289fd76c2c228eb1a09ce1969a7

SHA256
8684c9eca032c0e0ab940ab17b77e642e72f15272b9b88ac1c5ce49dc5486588

SHA512
f2572f2ad6024b7f91ff85f327fcd5f45f2efc679c75d8af4a2dd40a370225cbbe61b8ccb5a23bd6c368ac5fedb30d2dd377861744cc3b1ce83d9c9b8cd768f5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
746KB

MD5
2b761d2bba5a27d73335661793460b0f

SHA1
a31c10714004a80b6cd0ccafd1e93526f1201429

SHA256
926eabdca4603a749bf7974add1db741928c2fc1e8a367d159782a6b55bd2a2e

SHA512
b2051e089c4931bbcc9de0e8d9036fe8669cf331414bceeb3821546940fe17619008692a93a92514fd18d872ccf1d3702fdeabb0d2301da176e71a9765242121

Download Submit
memory/2548-51-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2548-36-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2548-35-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2680-62-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2680-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-56-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2680-55-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2680-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2680-41-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2980-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2980-13-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2980-12-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2980-11-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2980-9-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2980-0-0x0000000001000000-0x0000000001103000-memory.dmp

Filesize
1.0MB

Download
memory/2980-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2980-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2980-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2980-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2980-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2980-14-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2980-15-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2980-16-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2980-33-0x0000000003160000-0x000000000322F000-memory.dmp

Filesize
828KB

Download
memory/2980-17-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2980-18-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2980-19-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2980-20-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2980-21-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2980-52-0x0000000001000000-0x0000000001103000-memory.dmp

Filesize
1.0MB

Download
memory/2980-53-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2980-22-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2980-23-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2980-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2980-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads