c432756c4f332b231837f895c85790265b614dd42d0c7652cfad91eec6b43089

General

Target

b8c8519e40c7d4fb105a89ba33501b7e.exe
Size

872KB
MD5

b8c8519e40c7d4fb105a89ba33501b7e
SHA1

cad2759b454bc6f8cf50a5b799ac17f581fbb884
SHA256

c432756c4f332b231837f895c85790265b614dd42d0c7652cfad91eec6b43089
SHA512

10b567f6d228ded53cf810c6f4e89e51cfbcb59e8578ce95ca9b554ff83b71d74cfa97c182155da3b8b04347db9b2aa7e05d2c00e6a2b9cba528605c1b4de517
SSDEEP

24576:yCfEtSfZT7a2AigI644rMWW9FP86XblVO:DctuT7a1izerHWnTZk

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7M8A6G00-3I18-11C0-821H-444200140P0S}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7M8A6G00-3I18-11C0-821H-444200140P0S}\StubPath = "C:\\Windows\\system32\\OLE32Init.exe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{7M8A6G00-3I18-11C0-821H-444200140P0S}	Sender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7M8A6G00-3I18-11C0-821H-444200140P0S}\StubPath = "C:\\Windows\\system32\\OLE32Init.exe"	Sender.exe

Executes dropped EXE 2 IoCs

pid	Process
3944	Sender.exe
4744	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b8c8519e40c7d4fb105a89ba33501b7e.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\COMCTL32.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe
File created	C:\Windows\SysWOW64\COMCTL32.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe
File opened for modification	C:\Windows\SysWOW64\VERSION.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe
File created	C:\Windows\SysWOW64\VERSION.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe
File opened for modification	C:\Windows\SysWOW64\OLE32Init.exe	Sender.exe
File created	C:\Windows\SysWOW64\OLE32Init.exe	Sender.exe
File opened for modification	C:\Windows\SysWOW64\ADVAPI32.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe
File created	C:\Windows\SysWOW64\ADVAPI32.dll	b8c8519e40c7d4fb105a89ba33501b7e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\regsvr32.exe	Sender.exe
File created	C:\Windows\regsvr32.exe	Sender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4744	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3944	1452	b8c8519e40c7d4fb105a89ba33501b7e.exe	87
PID 1452 wrote to memory of 3944	1452	b8c8519e40c7d4fb105a89ba33501b7e.exe	87
PID 1452 wrote to memory of 3944	1452	b8c8519e40c7d4fb105a89ba33501b7e.exe	87
PID 3944 wrote to memory of 4744	3944	Sender.exe	95
PID 3944 wrote to memory of 4744	3944	Sender.exe	95
PID 3944 wrote to memory of 4744	3944	Sender.exe	95

C:\Users\Admin\AppData\Local\Temp\b8c8519e40c7d4fb105a89ba33501b7e.exe
"C:\Users\Admin\AppData\Local\Temp\b8c8519e40c7d4fb105a89ba33501b7e.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sender.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sender.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\regsvr32.exe
    C:\Windows\regsvr32.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sender.exe

Filesize
44KB

MD5
6a8f79f987ca62a8567061fabf358b00

SHA1
1ebec4291dc2a4b6a82352511b7c8316cab1c273

SHA256
df418db45a9d3a6dcd9da65ca9734afdacd85631f47658b1bd2b91b98342af95

SHA512
76536a5d39850d40b80d636e06430380484222443a71bcc3be01d52bcab9f03fb08dce1f52fa6cae220e46eab3162cde063ae2b53b9d8edc09237e033941f118

Download Submit
C:\Windows\SysWOW64\OLE32Init.exe

Filesize
44KB

MD5
b927c58ab0563c9d621adcaefd456364

SHA1
9fa2dea65b69ef1e063f09220632d8dcf2fc5d00

SHA256
16935c28c6f1b214954be975ad31cf1599a390c973a48fb89d09de18b7032af4

SHA512
d05ec0abb44a0369dc80285bd882c5c9e5c4e348d4a7fcd04ddbeb9819bffa721a6f832dc5608704eec5cf5aa03fad50f8ec37de37c5e3a4923211c6efaef191

Download Submit
memory/1452-10-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/1452-9-0x0000000076EC3000-0x0000000076EC4000-memory.dmp

Filesize
4KB

Download
memory/1452-4-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/1452-5-0x0000000076ED2000-0x0000000076ED3000-memory.dmp

Filesize
4KB

Download
memory/1452-6-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/1452-7-0x00000000757C0000-0x00000000758B0000-memory.dmp

Filesize
960KB

Download
memory/1452-8-0x0000000076ED3000-0x0000000076ED4000-memory.dmp

Filesize
4KB

Download
memory/1452-34-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/1452-1-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/1452-11-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/1452-12-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/1452-3-0x00000000006F0000-0x0000000000729000-memory.dmp

Filesize
228KB

Download
memory/1452-2-0x00000000005A0000-0x00000000005A4000-memory.dmp

Filesize
16KB

Download
memory/1452-36-0x00000000006F0000-0x0000000000729000-memory.dmp

Filesize
228KB

Download
memory/1452-0-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/1452-35-0x00000000757C0000-0x00000000758B0000-memory.dmp

Filesize
960KB

Download
memory/3944-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-19-0x0000000000420000-0x0000000000422000-memory.dmp

Filesize
8KB

Download
memory/4744-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4744-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads