c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0

Analysis

max time kernel
152s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
24/05/2022, 18:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
Size

3.3MB
MD5

8607ba047abf1a8403746257cf1a89a8
SHA1

8618fb75f0ce49be1bd8443670bf5d211cbc36ea
SHA256

c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0
SHA512

62fb47cfd5e6428cb88c16234bf870485396b08c0be6411aeace6a23de63609348790dafc81154bc11dfbe7870849a30618f01af9c55db6f4259dca3e74d3dc4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1424	rundll32.com
816	rundll32.com

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	rundll32.com

Loads dropped DLL 2 IoCs

pid	Process
1748	cmd.exe
1424	rundll32.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1268	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1424	rundll32.com
1424	rundll32.com
1424	rundll32.com
816	rundll32.com
816	rundll32.com
816	rundll32.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1424	rundll32.com
1424	rundll32.com
1424	rundll32.com
816	rundll32.com
816	rundll32.com
816	rundll32.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1748	968	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	28
PID 968 wrote to memory of 1748	968	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	28
PID 968 wrote to memory of 1748	968	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	28
PID 968 wrote to memory of 1748	968	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	28
PID 1748 wrote to memory of 948	1748	cmd.exe	30
PID 1748 wrote to memory of 948	1748	cmd.exe	30
PID 1748 wrote to memory of 948	1748	cmd.exe	30
PID 1748 wrote to memory of 948	1748	cmd.exe	30
PID 1748 wrote to memory of 1424	1748	cmd.exe	31
PID 1748 wrote to memory of 1424	1748	cmd.exe	31
PID 1748 wrote to memory of 1424	1748	cmd.exe	31
PID 1748 wrote to memory of 1424	1748	cmd.exe	31
PID 1424 wrote to memory of 816	1424	rundll32.com	32
PID 1424 wrote to memory of 816	1424	rundll32.com	32
PID 1424 wrote to memory of 816	1424	rundll32.com	32
PID 1424 wrote to memory of 816	1424	rundll32.com	32
PID 1748 wrote to memory of 1268	1748	cmd.exe	33
PID 1748 wrote to memory of 1268	1748	cmd.exe	33
PID 1748 wrote to memory of 1268	1748	cmd.exe	33
PID 1748 wrote to memory of 1268	1748	cmd.exe	33
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34
PID 816 wrote to memory of 588	816	rundll32.com	34

C:\Users\Admin\AppData\Local\Temp\c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
"C:\Users\Admin\AppData\Local\Temp\c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c <nul set /p ="M" > rundll32.com & type eGuH.com >> rundll32.com & del eGuH.com & certutil -decode JphA.com D & rundll32.com D & ping 127.0.0.1 -n 30 & mkdir %appdata%\Sysfiles & echo > %appdata%\Sysfiles\RegAsm.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode JphA.com D
    3⤵
    PID:948
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com
    rundll32.com D
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com D
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:588
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 30
    3⤵
    - Runs ping.exe
    PID:1268

Network

DNS

XFP.XFP

rundll32.com

Remote address:

8.8.8.8:53

Request

XFP.XFP

IN A

Response

No results found

8.8.8.8:53

XFP.XFP

dns

rundll32.com

53 B
128 B
1
1

DNS Request

XFP.XFP

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D

Filesize
480KB

MD5
c757fc6104fef9d2f74d0115464c6900

SHA1
c7b786d2be079a2beb37545e064d133cab910cae

SHA256
4948be363f9a251c88e1d77c17cadbe9522fab2d8f1b77231f13a5721f0221dd

SHA512
ec6b6db1f694e999c3e18aa87b61bcc6b5dc8262d49dbc92ab47040c9153f4cdac334735ecc4e6650b3536255b242251fb94924a8ef432f7b594a0b475a119a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JphA.com

Filesize
660KB

MD5
44fd1c2bfea313b27f2131afc9c4a08e

SHA1
d9dac60f68aa3fc362103e549e2fcf33c390e900

SHA256
41ae64c9b096617189341dd42ffe00a1f3ae2910ea26f9f70f1a9e5572c9675b

SHA512
25325b8b7965f140911d9ba8e50fdb2b04d57011726a1d9c8060785ae0531ad3ee853e4cb765f37945683d6d69fc269f991780956050fa15f703dd7f1357b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eGuH.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uILTn.com

Filesize
2.5MB

MD5
94670a620b3dafb6e1df5f72c6dc6523

SHA1
a0973ffa8889a94a82678619fde8ff1d8dc7a308

SHA256
2336086400cf9e8d2d519a98d0d8ebd14bdd648d71e2950743e427b534bc1e78

SHA512
e0c404d9e3822c671eed1389e51ecee6af61305158d0edc3b4b50d866136a28214664b13aacd93272dff6ce3f61e3fa6bb45da1ca4e3427a88fbd1b6bcecc880

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/588-107-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-97-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-131-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-129-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-127-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-125-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-71-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-73-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-75-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-77-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-79-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-81-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-83-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-85-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-87-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-89-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-91-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-93-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-95-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-123-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-99-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-101-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-103-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-105-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-121-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-109-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-111-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-113-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-115-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-117-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/588-119-0x0000000000AB0000-0x0000000001AB0000-memory.dmp

Filesize
16.0MB

Download
memory/948-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download