64ab4ef26c1ba7198236df31bef06dbab47ca17f0abd81823a39d244327ba1ab

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

368KB
MD5

d896bb5d82c5b8f7f32cf4bbbd8d58d3
SHA1

edd21146086ebd68b4974d75eefe46b81eb91db3
SHA256

64ab4ef26c1ba7198236df31bef06dbab47ca17f0abd81823a39d244327ba1ab
SHA512

8ddea7f4293ee802c5efee47c5a9168be2c90e21a175546e514c80e769219a5e6e7cc0416468d56c45340986d84b97c264671774e20aec857a4fdc862e66fab8
SSDEEP

1536:rrae78zjORCDGwfdCSog01313gs5gcXqr:BahKyd2n31Z5pqr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SETUP_~1.EXE

pid process

2032 SETUP_~1.EXE

pid	process
2032	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SETUP_~1.EXE

description pid process

Token: SeDebugPrivilege 2032 SETUP_~1.EXE

description	pid	process
Token: SeDebugPrivilege	2032	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE
PID 1408 wrote to memory of 2032	1408	file.exe	SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
214.6MB

MD5
baf3b26e5290c2b658e0993ac4bacaf5

SHA1
296f6dc637defc0ee638793aac6ed9a09b8f0515

SHA256
9214a72501ec76cbc19ee9cace68f48afb864164652be3124a7ab05b9a37d655

SHA512
4d7f8623a2af090134d1d3815d53a2980d83f84312458191234a462fdfd69f73fbdf83d8887518a6b6b804b9fb52cff3701a2b99cee9bf9c1bb15e565137d58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
214.6MB

MD5
baf3b26e5290c2b658e0993ac4bacaf5

SHA1
296f6dc637defc0ee638793aac6ed9a09b8f0515

SHA256
9214a72501ec76cbc19ee9cace68f48afb864164652be3124a7ab05b9a37d655

SHA512
4d7f8623a2af090134d1d3815d53a2980d83f84312458191234a462fdfd69f73fbdf83d8887518a6b6b804b9fb52cff3701a2b99cee9bf9c1bb15e565137d58f

Download Submit
memory/2032-54-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/2032-58-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download