5b9fe39fc48e47879d1751aa6d2f12ea37b9e591cb3c1424f562f27b83d2b888

General

Target

cc5594254fc483f79f9195b7f4443258.exe
Size

689KB
MD5

cc5594254fc483f79f9195b7f4443258
SHA1

eec7127c2c71bed16d6ad4ff0ab679789de4116f
SHA256

5b9fe39fc48e47879d1751aa6d2f12ea37b9e591cb3c1424f562f27b83d2b888
SHA512

c6c11d3c92f3bb0c9be2eddb170355c6ae43dc092afd72c287b66d5d07fb48fb51991e936320a51f017c32656551e573f5d0091735eb24ca2a7fadc210662d3c
SSDEEP

12288:KT/oZiyeiH+N9IX3P9YrZ+feNCR4wxwi1KmjDwUrIrOF3Z4mxxH9smEqU9Gsv5Y5:KT+iyJQyvmZ+bR4wxwivxc6QmXdsmECZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3040	5.exe
2640	Themes.cn.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	cc5594254fc483f79f9195b7f4443258.exe
1936	cc5594254fc483f79f9195b7f4443258.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc5594254fc483f79f9195b7f4443258.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Themes.cn.exe	5.exe
File created	C:\Windows\uninstal.bat	5.exe
File created	C:\Windows\Themes.cn.exe	5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	5.exe
Token: SeDebugPrivilege	2640	Themes.cn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	Themes.cn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3040	1936	cc5594254fc483f79f9195b7f4443258.exe	28
PID 1936 wrote to memory of 3040	1936	cc5594254fc483f79f9195b7f4443258.exe	28
PID 1936 wrote to memory of 3040	1936	cc5594254fc483f79f9195b7f4443258.exe	28
PID 1936 wrote to memory of 3040	1936	cc5594254fc483f79f9195b7f4443258.exe	28
PID 2640 wrote to memory of 2544	2640	Themes.cn.exe	30
PID 2640 wrote to memory of 2544	2640	Themes.cn.exe	30
PID 2640 wrote to memory of 2544	2640	Themes.cn.exe	30
PID 2640 wrote to memory of 2544	2640	Themes.cn.exe	30
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31
PID 3040 wrote to memory of 2596	3040	5.exe	31

C:\Users\Admin\AppData\Local\Temp\cc5594254fc483f79f9195b7f4443258.exe
"C:\Users\Admin\AppData\Local\Temp\cc5594254fc483f79f9195b7f4443258.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2596

C:\Windows\Themes.cn.exe
C:\Windows\Themes.cn.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
150B

MD5
72f9d376b476a7a6936991161cfeb888

SHA1
ea53941d2d65213eed7aac7f29f897ecdb34344f

SHA256
061cf610c4430e21066e13c91c49e6885cdcb24501095f1f8839e82d3a1d6a02

SHA512
543f9178e376d60544d75981c259bbb4ab603411febb991507c25ddb904bf6e934d05173de5632823d53aaee13ee6f8a623179b26d8a6d134104d47e9dbaeaf5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
798KB

MD5
c06c5f1d869ea1baea21df0dc487b145

SHA1
6cc9d1cd66b6b08ee2e235a791c2e7affb182798

SHA256
c03bf511703779c7c7248cbe3a4968b0a6d1d223f9b5a1f59f2cfb50c980cae5

SHA512
a96fcee292480f6a1816204a31707e12c0a9240344b1d424b1884ed74c074ea3417768116ef14298f937486a708ed72bcf100c7c08ca6c5fd88fb33a2503d874

Download Submit
memory/1936-6-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1936-2-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1936-4-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1936-5-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1936-8-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1936-10-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1936-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1936-7-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1936-0-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/1936-3-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1936-36-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/1936-35-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/1936-1-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2640-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2640-38-0x0000000000400000-0x00000000004D1200-memory.dmp

Filesize
836KB

Download
memory/2640-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3040-34-0x0000000000400000-0x00000000004D1200-memory.dmp

Filesize
836KB

Download
memory/3040-20-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads