7a7ab30d64d8f9f38e7935cfee424bd13002849f20c4cfd4fbb1790012f37315

General

Target

c0c73f589bd0b0e715ed1f2a031e4b1a.exe
Size

638KB
MD5

c0c73f589bd0b0e715ed1f2a031e4b1a
SHA1

1521f515e5a5fd1c16065f6b28007039c5a868fc
SHA256

7a7ab30d64d8f9f38e7935cfee424bd13002849f20c4cfd4fbb1790012f37315
SHA512

b1e4c8f1ea7931611becdec8f0a01c769143f478d7e8dbfff03fb162c22986f0c6b4e922c93ceec5f3617cf9eb459c5c7db87859889537cb93b334792655df15
SSDEEP

12288:oc5In4oniM66Y7cuJvYsTD11c2obY7HXG0KtWiKsLO:oc5In4onv66Ywnsocq0AJo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2116	4.exe
3744	Windows.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0c73f589bd0b0e715ed1f2a031e4b1a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Windows.exe	4.exe
File opened for modification	C:\Windows\Windows.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	4.exe
Token: SeDebugPrivilege	3744	Windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3744	Windows.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2116	2324	c0c73f589bd0b0e715ed1f2a031e4b1a.exe	89
PID 2324 wrote to memory of 2116	2324	c0c73f589bd0b0e715ed1f2a031e4b1a.exe	89
PID 2324 wrote to memory of 2116	2324	c0c73f589bd0b0e715ed1f2a031e4b1a.exe	89
PID 2116 wrote to memory of 4360	2116	4.exe	93
PID 2116 wrote to memory of 4360	2116	4.exe	93
PID 2116 wrote to memory of 4360	2116	4.exe	93
PID 3744 wrote to memory of 3872	3744	Windows.exe	92
PID 3744 wrote to memory of 3872	3744	Windows.exe	92

C:\Users\Admin\AppData\Local\Temp\c0c73f589bd0b0e715ed1f2a031e4b1a.exe
"C:\Users\Admin\AppData\Local\Temp\c0c73f589bd0b0e715ed1f2a031e4b1a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:4360

C:\Windows\Windows.exe
C:\Windows\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
788KB

MD5
2df9ed2cb7e4fc7731a7e257bc942755

SHA1
a298990a5e472f2126a2645f2d67641f8ef48610

SHA256
894412773346cdcfdb0a930ebfbcbef49ccaefa9264c3766cb7e4b74787e36c2

SHA512
61e4f4557759fd44aa071367c1ed97e468651aef2feee7f6053fffd189ad843d3f25edc2a618ef8bd4dbdb1ffe4314d177da531fadce0000dce370fbcbfec368

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
memory/2116-24-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2116-16-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2116-15-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/2324-5-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2324-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2324-7-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2324-8-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2324-9-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2324-0-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/2324-4-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2324-6-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2324-1-0x0000000000600000-0x0000000000650000-memory.dmp

Filesize
320KB

Download
memory/2324-2-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2324-25-0x0000000001000000-0x0000000001106000-memory.dmp

Filesize
1.0MB

Download
memory/2324-26-0x0000000000600000-0x0000000000650000-memory.dmp

Filesize
320KB

Download
memory/3744-21-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/3744-28-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/3744-29-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads