d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb

General

Target

d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe
Size

6.3MB
MD5

63a460bd79bff227b57bfa91924c81ba
SHA1

1d5e64757fac7d559e4b0c8fe2c0ff098645fd9f
SHA256

d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb
SHA512

c510bf62d8e5723b446697a7ff1aa4be6ee1f1cdf3972837f78b4c444162f22d0d7d1ebb04a33acfe6dab98fc4525202341241b59cfc00855f9545462c3acdb9
SSDEEP

196608:3rBb07eFpM2XilOQdhLITKho6TmdDv+c2EmjB:y7ecOilOl7DSEmjB

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2560	schtasks.exe
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe
2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2560	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	28
PID 2192 wrote to memory of 2560	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	28
PID 2192 wrote to memory of 2560	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	28
PID 2192 wrote to memory of 2560	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	28
PID 2192 wrote to memory of 2436	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	30
PID 2192 wrote to memory of 2436	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	30
PID 2192 wrote to memory of 2436	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	30
PID 2192 wrote to memory of 2436	2192	d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe	30

C:\Users\Admin\AppData\Local\Temp\d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe
"C:\Users\Admin\AppData\Local\Temp\d39ca303b21bc877d7cb9d7a762b4751f1df86e8f47d6bc8704c3c2cdae0ecdb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe

Filesize
2.1MB

MD5
24624a0a6f89cb8c46261efb63d0eb8a

SHA1
1470532dcdd1e080a92d6821a8586d6880dab8c1

SHA256
0fc2f9d9b85870f904ad813920a3a763d61bfc338105e862e4ba76c69cacb241

SHA512
12e3e9665866afd1cd86178637ddb78b19671a192facd26547cd59327495eea9cc2af3bc3ac84374f171bae9b8fdd17bbfed23d264177b5d40c125d3f1c3d585

Download Submit
\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

Filesize
2.5MB

MD5
b888a09fadab5d3e2fd96ab5ea97f8ed

SHA1
fc351375dcd097a5c38dfbad87212fa2ec4a1832

SHA256
26293edebe97b1daba5fba9504136d995f73ea40b26573ff048b347db83699f4

SHA512
e930647bc57451996f42626c615b8ed2bb5357ba8702e14039a91e9c7ecc25d2049201fcf0d50f5cd1fb696de1f67c039e0fe702443dbc6b3a4a889a2f0000e4

Download Submit
memory/2192-20-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2192-23-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2192-4-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2192-8-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2192-10-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2192-13-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2192-15-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2192-18-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2192-0-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2192-6-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2192-25-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2192-28-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2192-30-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2192-31-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2192-33-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2192-35-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2192-37-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2192-5-0x0000000000380000-0x0000000000FB8000-memory.dmp

Filesize
12.2MB

Download
memory/2192-2-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2192-48-0x0000000000380000-0x0000000000FB8000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads