Analysis
-
max time kernel
43s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 15:32
Static task
static1
Behavioral task
behavioral1
Sample
38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe
Resource
win10v2004-20220812-en
General
-
Target
38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe
-
Size
7.4MB
-
MD5
f9979595efc23fea996af22697f45b9b
-
SHA1
bd00911878eb1fa2e21627b140bd108085b1250b
-
SHA256
38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1
-
SHA512
ccec79b2159cd6a765c52e4be0bfe0016012338c6c0f6380cfe931ed312dd915cdb32cff9c0724760ed67144a886df33f8815829e3f6bb60ba32b47a7c6b9ec6
-
SSDEEP
196608:BW+fWD0RWkarZa3VUpIv22HvXgWpWw1XoUh9jiAxK:BW+xorx2PrWfaxK
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1528 ppi.exe 992 ppi.exe 1376 VPNCLI~1.EXE -
Loads dropped DLL 5 IoCs
pid Process 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 1528 ppi.exe 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1528 set thread context of 992 1528 ppi.exe 27 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 992 ppi.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1528 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 26 PID 1352 wrote to memory of 1528 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 26 PID 1352 wrote to memory of 1528 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 26 PID 1352 wrote to memory of 1528 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 26 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1528 wrote to memory of 992 1528 ppi.exe 27 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28 PID 1352 wrote to memory of 1376 1352 38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe"C:\Users\Admin\AppData\Local\Temp\38ecfa985c7c4ac63af2f9449f557bc09b990dda7e596aebdbcd6fb6d7d57ad1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VPNCLI~1.EXE2⤵
- Executes dropped EXE
PID:1376
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5a8407593072cfabb83410f2f06fa8b61
SHA19dcb2e9de75204a4361036cdd194d2775b0b4b26
SHA25628d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e
SHA512df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d
-
Filesize
7.6MB
MD5a8407593072cfabb83410f2f06fa8b61
SHA19dcb2e9de75204a4361036cdd194d2775b0b4b26
SHA25628d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e
SHA512df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c
-
Filesize
7.6MB
MD5a8407593072cfabb83410f2f06fa8b61
SHA19dcb2e9de75204a4361036cdd194d2775b0b4b26
SHA25628d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e
SHA512df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d
-
Filesize
7.6MB
MD5a8407593072cfabb83410f2f06fa8b61
SHA19dcb2e9de75204a4361036cdd194d2775b0b4b26
SHA25628d3802609272de8198ae746acf19f0d26751895f591f35d78340d2352ad2c4e
SHA512df80853007650ee382744e984a780c0067c42a9d4253b93c3e0864a1d28d875c585f337d3c47ec24ebc2d5666d02dd93515bb3388709e201e2ac82e6e8e3893d
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c
-
Filesize
152KB
MD5cb9c7d959ef41b3fc2f9cffd08ec5aa1
SHA1d43d9c54eadb0fc183546ff4a1fea4e789c9d061
SHA256f714f37b3834952f7dfe10e98d3b48b4339c3458b6e0b3de60da5ea890d9122f
SHA5121aaf925d7fd9d922cfcc0ca914498609376182c24f76355f9178fc20552cd25cd0c4ca9e13da4b979910483802a9e9de377268d642894ca2b9638b47d8f9762c