8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
22-10-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

798KB
MD5

f22767b6260d5c30146637eb8bb602c8
SHA1

f9172f701a0c3957af1801e25951d6cd154e67ec
SHA256

8982e072b2b380555b308d7180ee08b36e524907668b0f6f98f9136bbe93ac13
SHA512

749174038409ad519527ae2f29200a1cc9a0ddd6d767e7d15f43053e9e6bb33578bce8739305aaf1e26ef34de1a0afb914bbe19a9a0ea6fc8036a8bee714da9b
SSDEEP

3072:lahKyd2n3165U1SXdkLPdf/RVJzKEANr8qkCr:lahO7IsRVJz0rO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SETUP_~1.EXE

pid process

1284 SETUP_~1.EXE

pid	process
1284	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SETUP_~1.EXE

description pid process

Token: SeDebugPrivilege 1284 SETUP_~1.EXE

description	pid	process
Token: SeDebugPrivilege	1284	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE
PID 1740 wrote to memory of 1284	1740	file.exe	SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
Filesize
334.1MB

MD5
e40665abba2787f3721ce00532ee17db

SHA1
dd9cd11aaa778e5e3b0810c90c659804425f0d0d

SHA256
f80d7f5e6551b8e5be0f6c857a879fbc72c9c6290bfb28bd8127e3c8c947a44d

SHA512
060d18ed8cf474f7a2c2f53647a6c36517ac620a1e80c3d19e62260cbb78a7cae1e27e6a93feb15109d115c5bba334386ff90703fa176a491f016070e6e7801c

Download Submit
memory/1284-54-0x0000000000000000-mapping.dmp

Download
memory/1284-57-0x00000000002C0000-0x0000000000310000-memory.dmp

Filesize
320KB

Download
memory/1284-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download