47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb

Analysis

max time kernel
152s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
Size

799KB
MD5

b365940d50152d199c01212ec79af7e2
SHA1

c4a69ce2c97e09501e89a41e539f075ab1795e6c
SHA256

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb
SHA512

1978b4758d4b0aca1429efb58ef411d5ee7bd95e9e14bcd6765398764d689e73587dc4d64374e46756a5ac6f3b962ef4be74db3be78e3edcf9e004dfb4f9e43a

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PP_OUT~1.EXE

pid process

2112 PP_OUT~1.EXE

pid	process
2112	PP_OUT~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PP_OUT~1.EXE

pid process

2112 PP_OUT~1.EXE

pid	process
2112	PP_OUT~1.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe

description	pid	process	target process
PID 4400 wrote to memory of 2112	4400	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 4400 wrote to memory of 2112	4400	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE
PID 4400 wrote to memory of 2112	4400	47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe	PP_OUT~1.EXE

C:\Users\Admin\AppData\Local\Temp\47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe
"C:\Users\Admin\AppData\Local\Temp\47048f96c5d73e3b52b6cd80ed26e881ca615cc6d6d6ee1ab6994571e808b4cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
200.5MB

MD5
4c1c41c44069ab51c0d47263e1ceb81f

SHA1
f17d2ae0288e499dfcb1cb8e870c922166b797f5

SHA256
00369ab13b6d29e074383964b700653a68f57512edd2c4d704149c7f16bdb7a2

SHA512
d74f3c61707d0be8ac36ca815d73809f796a4790c629538ebaebd2969025acb28487b5baed8fbcf93c3ffb2ef5dd546e0168b79f56c38036767e46badb0b9714

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PP_OUT~1.EXE

Filesize
200.5MB

MD5
4c1c41c44069ab51c0d47263e1ceb81f

SHA1
f17d2ae0288e499dfcb1cb8e870c922166b797f5

SHA256
00369ab13b6d29e074383964b700653a68f57512edd2c4d704149c7f16bdb7a2

SHA512
d74f3c61707d0be8ac36ca815d73809f796a4790c629538ebaebd2969025acb28487b5baed8fbcf93c3ffb2ef5dd546e0168b79f56c38036767e46badb0b9714

Download Submit
memory/2112-130-0x0000000000000000-mapping.dmp

Download