f16d44151db20fb23e0f282931fa937f485e7f0725716238c631a583169c7ff8

General

Target

c83006e7ae807153f6fc0f13f4550a3a.exe
Size

761KB
MD5

c83006e7ae807153f6fc0f13f4550a3a
SHA1

66e36a66084c4727b58503fe92a1512bc04c33c8
SHA256

f16d44151db20fb23e0f282931fa937f485e7f0725716238c631a583169c7ff8
SHA512

9fa5df46a1f4b71948d8e25a35fdfc41f6850e93c5b7ac03024bdd426cb138cfc325bca1048644c4ea50a7b184b2fb839aa2f49cabaaee2618e2e4b012818aea
SSDEEP

12288:18IdtzeU0qKiWKQ0zu8zdpDOPReZs8W8R66WZF3Z4mxxbARuxuYT6Vxxa1/:18Idtz77KiWB0KU5OpeK8K6WZQmXbpFT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1496	WINDOW~1.EXE
2884	winxp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c83006e7ae807153f6fc0f13f4550a3a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winxp	WINDOW~1.EXE
File opened for modification	C:\Windows\winxp	WINDOW~1.EXE
File created	C:\Windows\Delete.bat	WINDOW~1.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winxp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winxp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winxp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winxp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winxp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2884	winxp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1496	636	c83006e7ae807153f6fc0f13f4550a3a.exe	91
PID 636 wrote to memory of 1496	636	c83006e7ae807153f6fc0f13f4550a3a.exe	91
PID 636 wrote to memory of 1496	636	c83006e7ae807153f6fc0f13f4550a3a.exe	91
PID 1496 wrote to memory of 4612	1496	WINDOW~1.EXE	94
PID 1496 wrote to memory of 4612	1496	WINDOW~1.EXE	94
PID 1496 wrote to memory of 4612	1496	WINDOW~1.EXE	94

C:\Users\Admin\AppData\Local\Temp\c83006e7ae807153f6fc0f13f4550a3a.exe
"C:\Users\Admin\AppData\Local\Temp\c83006e7ae807153f6fc0f13f4550a3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
    3⤵
    PID:4612

C:\Windows\winxp
C:\Windows\winxp
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE

Filesize
398KB

MD5
f557305e284e3f0008b5556ed0aea4f4

SHA1
304af015334bc75d17fd5b81d8788cff929ead6c

SHA256
6629b16df99db497d6dc5f08e382e53fecebd6a022ae7e4ba2b0745d7f211f18

SHA512
bcb87fe4fdc5f8dc27a5999087b6139ac09a5e355b573372832521d2b8960d20c372d77c67774452625eb473f3650275bea2523795b8dec2d1a027c200d549cb

Download Submit
C:\Windows\Delete.bat

Filesize
160B

MD5
a36877fec4fde35c6b0927285e6d751b

SHA1
1122da3f21167b4bcaf3866408e06e35d85cca07

SHA256
a925132d0062d8b3bd95071e438a82ce0dcb70950cfa56f17a873f99cf6c4618

SHA512
2d734ef1843597ecfc2992d1ad822c2374476ee310eee68e73f27f80abe393014a57acc112ad9479f471e4f5919b176b541261d4a46b61931b1308ba51b69758

Download Submit
memory/636-12-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/636-25-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/636-5-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/636-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/636-7-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/636-26-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/636-8-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/636-0-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/636-9-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/636-13-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/636-14-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/636-15-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/636-16-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/636-17-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/636-19-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/636-20-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/636-2-0x00000000005A0000-0x00000000005F4000-memory.dmp

Filesize
336KB

Download
memory/636-22-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/636-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/636-24-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/636-6-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/636-27-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/636-28-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/636-29-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/636-30-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/636-31-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/636-34-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/636-1-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/636-45-0x00000000005A0000-0x00000000005F4000-memory.dmp

Filesize
336KB

Download
memory/636-44-0x0000000001000000-0x0000000001136000-memory.dmp

Filesize
1.2MB

Download
memory/1496-43-0x0000000000400000-0x00000000004AE09F-memory.dmp

Filesize
696KB

Download
memory/1496-36-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1496-35-0x0000000000400000-0x00000000004AE09F-memory.dmp

Filesize
696KB

Download
memory/2884-42-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2884-39-0x0000000000400000-0x00000000004AE09F-memory.dmp

Filesize
696KB

Download
memory/2884-47-0x0000000000400000-0x00000000004AE09F-memory.dmp

Filesize
696KB

Download
memory/2884-49-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads