Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 17:40
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
368KB
-
MD5
d896bb5d82c5b8f7f32cf4bbbd8d58d3
-
SHA1
edd21146086ebd68b4974d75eefe46b81eb91db3
-
SHA256
64ab4ef26c1ba7198236df31bef06dbab47ca17f0abd81823a39d244327ba1ab
-
SHA512
8ddea7f4293ee802c5efee47c5a9168be2c90e21a175546e514c80e769219a5e6e7cc0416468d56c45340986d84b97c264671774e20aec857a4fdc862e66fab8
-
SSDEEP
1536:rrae78zjORCDGwfdCSog01313gs5gcXqr:BahKyd2n31Z5pqr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SETUP_~1.EXEpid process 2032 SETUP_~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SETUP_~1.EXEdescription pid process Token: SeDebugPrivilege 2032 SETUP_~1.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
file.exedescription pid process target process PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE PID 1408 wrote to memory of 2032 1408 file.exe SETUP_~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
214.6MB
MD5baf3b26e5290c2b658e0993ac4bacaf5
SHA1296f6dc637defc0ee638793aac6ed9a09b8f0515
SHA2569214a72501ec76cbc19ee9cace68f48afb864164652be3124a7ab05b9a37d655
SHA5124d7f8623a2af090134d1d3815d53a2980d83f84312458191234a462fdfd69f73fbdf83d8887518a6b6b804b9fb52cff3701a2b99cee9bf9c1bb15e565137d58f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
214.6MB
MD5baf3b26e5290c2b658e0993ac4bacaf5
SHA1296f6dc637defc0ee638793aac6ed9a09b8f0515
SHA2569214a72501ec76cbc19ee9cace68f48afb864164652be3124a7ab05b9a37d655
SHA5124d7f8623a2af090134d1d3815d53a2980d83f84312458191234a462fdfd69f73fbdf83d8887518a6b6b804b9fb52cff3701a2b99cee9bf9c1bb15e565137d58f
-
memory/2032-54-0x0000000000000000-mapping.dmp
-
memory/2032-57-0x00000000011F0000-0x00000000011F8000-memory.dmpFilesize
32KB
-
memory/2032-58-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB