Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
22-10-2022 20:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
798KB
-
MD5
f22767b6260d5c30146637eb8bb602c8
-
SHA1
f9172f701a0c3957af1801e25951d6cd154e67ec
-
SHA256
8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13
-
SHA512
749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b
-
SSDEEP
3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SETUP_~1.EXEpid process 1284 SETUP_~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SETUP_~1.EXEdescription pid process Token: SeDebugPrivilege 1284 SETUP_~1.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
file.exedescription pid process target process PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE PID 1740 wrote to memory of 1284 1740 file.exe SETUP_~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
334.1MB
MD5e40665abba2787f3721ce00532ee17db
SHA1dd9cd11aaa778e5e3b0810c90c659804425f0d0d
SHA256f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d
SHA512060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
334.1MB
MD5e40665abba2787f3721ce00532ee17db
SHA1dd9cd11aaa778e5e3b0810c90c659804425f0d0d
SHA256f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d
SHA512060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c
-
memory/1284-54-0x0000000000000000-mapping.dmp
-
memory/1284-57-0x00000000002C0000-0x0000000000310000-memory.dmpFilesize
320KB
-
memory/1284-58-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB