e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30d09ee47eafb236742ad7831adedb8.exe
Size

374KB
MD5

b30d09ee47eafb236742ad7831adedb8
SHA1

88339c398d0cc01f720f55499dd622ab6b29a561
SHA256

e00e158ba45b49cdfdca374f0f8f64a1df6c3b05f2034ac71ed0f3a1144f2ee2
SHA512

c4c0613e991242ab87cd0d312da42b67b1ef20ebbcebe08fd79aee5ac72b617a3fcb8a97c6cb7254205e6715642039ed557c99bb7637dac2104454b5a5b7f412
SSDEEP

1536:HI47GyTGCwiSnmQUt0LB1c5s5gvubJueyupHgz:HvGyYiSDnt1cW54u9lx1W

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SETUP_~1.EXE

pid process

1324 SETUP_~1.EXE

pid	process
1324	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b30d09ee47eafb236742ad7831adedb8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	b30d09ee47eafb236742ad7831adedb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b30d09ee47eafb236742ad7831adedb8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SETUP_~1.EXE

description pid process

Token: SeDebugPrivilege 1324 SETUP_~1.EXE

description	pid	process
Token: SeDebugPrivilege	1324	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b30d09ee47eafb236742ad7831adedb8.exe

description	pid	process	target process
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE
PID 1644 wrote to memory of 1324	1644	b30d09ee47eafb236742ad7831adedb8.exe	SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\b30d09ee47eafb236742ad7831adedb8.exe
"C:\Users\Admin\AppData\Local\Temp\b30d09ee47eafb236742ad7831adedb8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
214.6MB

MD5
d620f827d3dda5c71e569b06aaec7768

SHA1
386a70eaec19e8bf23bbd6d73c0abb6535cf57c6

SHA256
31a172f868fff8093463d08364ac1b4135416d6e2eb6c24fc9cf4677416ba411

SHA512
34f81f0e8e6a3f32b98b1b61fcfaa889c41dabcfda0a1c1d81583d9feea7d74e69f75cc8bbf9f2b23e892f9d49785ae34e7777b7734f01ca5974b1739489ddf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
214.6MB

MD5
d620f827d3dda5c71e569b06aaec7768

SHA1
386a70eaec19e8bf23bbd6d73c0abb6535cf57c6

SHA256
31a172f868fff8093463d08364ac1b4135416d6e2eb6c24fc9cf4677416ba411

SHA512
34f81f0e8e6a3f32b98b1b61fcfaa889c41dabcfda0a1c1d81583d9feea7d74e69f75cc8bbf9f2b23e892f9d49785ae34e7777b7734f01ca5974b1739489ddf3

Download Submit
memory/1324-54-0x0000000000000000-mapping.dmp

Download
memory/1324-57-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/1324-58-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download