764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
Size

156KB
MD5

075957d919dd59ac12175be408415704
SHA1

c94f130073125bd0f000152a3c99ebc1f9665206
SHA256

764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d
SHA512

5ed6a88c8fdc9159286bde86e2bd1c23d2a378f47d8fb12d45e373ad79f617944e98a542a021d1dbbc75284e7860334740606e3254c39d7a114e11a268d8a8df
SSDEEP

3072:hnj9jtfU+INndIc0JL5iNghh2q8n/SIr4y8dRF/lE085Dz8BWPUQmd0t:hjbei2gv2Jn6I10RllEuel

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1552	UNDELE~1.EXE
320	azdjk.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4278c270-a269-22d1-b5bf-BB60f8051515}	azdjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4278c270-a269-22d1-b5bf-BB60f8051515}\StubPath = "C:\\Windows\\;windows folder\\azdjk.exe"	azdjk.exe

Loads dropped DLL 7 IoCs

pid	Process
644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
1552	UNDELE~1.EXE
1552	UNDELE~1.EXE
1552	UNDELE~1.EXE
320	azdjk.exe
580	iexplore.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ietech = "C:\\Windows\\;windows folder\\azdjk.exe"	azdjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ietech = "C:\\Windows\\;windows folder\\azdjk.exe"	azdjk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\;windows folder\ietech.dll	azdjk.exe
File created	C:\Windows\;windows folder\azdjk.exe	UNDELE~1.EXE
File opened for modification	C:\Windows\;windows folder\azdjk.exe	UNDELE~1.EXE
File created	C:\Windows\;windows folder\ietech.dll	azdjk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell	UNDELE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open	UNDELE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command\ = "."	UNDELE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\open\command	UNDELE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile	UNDELE~1.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	UNDELE~1.EXE
Token: SeDebugPrivilege	320	azdjk.exe
Token: SeDebugPrivilege	580	iexplore.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 644 wrote to memory of 1552	644	764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe	27
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 1552 wrote to memory of 320	1552	UNDELE~1.EXE	28
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 320 wrote to memory of 580	320	azdjk.exe	29
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30
PID 1552 wrote to memory of 696	1552	UNDELE~1.EXE	30

C:\Users\Admin\AppData\Local\Temp\764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe
"C:\Users\Admin\AppData\Local\Temp\764b03fa60fb8ac3877aa53bd129846a65149b12f0dc537f5d6a34741522c43d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\;windows folder\azdjk.exe
    "C:\Windows\;windows folder\azdjk.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\tmp.bat" "
    3⤵
    PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
C:\Windows\;windows folder\azdjk.exe

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
C:\Windows\;windows folder\azdjk.exe

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
C:\Windows\;windows folder\ietech.dll

Filesize
194KB

MD5
b1a65d332c17484afe10c41738b9e109

SHA1
ac6774f85d4d65060391a49ca104dff5bd472a84

SHA256
1000f1a6f99e85bc8488e6d540ee7a44d954da3c5a89d0d596b4157662439e04

SHA512
c30620ee7b6ed5064cb8ad5cb14d75cbd252c76cb13ecf2f69a8a40630ea8cb43c407ed2be2f6f1eeccf7970ae7b079d7c2c5bb945110f90263252ba87f16bc5

Download Submit
C:\tmp.bat

Filesize
203B

MD5
29e89d43f521660b9b2a14281bab6f35

SHA1
2bb76d2f03a3b5557269473789a2f4ea487d0f4e

SHA256
adc4f48f836c9bb3b8b4553aeddea1fe129e9fb83cc81d5c24681c406f6a32ff

SHA512
9ad7bc5a05b20a5bad5285b1caa8b514f37b25019b5d51d2dcb1438604beeff503abb28e2b9fe787bfe63973db0e9314948606b5e4694b17a5765d1043526ddb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNDELE~1.EXE

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Windows\;windows folder\azdjk.exe

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Windows\;windows folder\azdjk.exe

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Windows\;windows folder\azdjk.exe

Filesize
224KB

MD5
824651e9ec6d946b5fb5e1d1480ba6a0

SHA1
ed697a24d84e44712b48a040d3a628c5b3c632ee

SHA256
27654f1ef039150c953fff42a73dc173bfcc48d36740f9c4864b5c86cf2cc050

SHA512
205b515839f594ecd142c39c5cdbab90bd944ce85385e31f3ae5e61c9f6d9a7106f939901ea887a9318fa3402f8a52bad405a207b482489f1b3064336197f85e

Download Submit
\Windows\;windows folder\ietech.dll

Filesize
194KB

MD5
b1a65d332c17484afe10c41738b9e109

SHA1
ac6774f85d4d65060391a49ca104dff5bd472a84

SHA256
1000f1a6f99e85bc8488e6d540ee7a44d954da3c5a89d0d596b4157662439e04

SHA512
c30620ee7b6ed5064cb8ad5cb14d75cbd252c76cb13ecf2f69a8a40630ea8cb43c407ed2be2f6f1eeccf7970ae7b079d7c2c5bb945110f90263252ba87f16bc5

Download Submit
memory/644-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download