Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 18:36
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
603KB
-
MD5
cb90f4dd9eb3424268b20a1581668acd
-
SHA1
136a226e0f56c7bf53822ab116ea4304b8a636e6
-
SHA256
49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac
-
SHA512
43ef96a52dfe7018d7fd9315c428fb1b368e92357585f57bd405260d5e5d9f498e423d0a3d5de1ef300983f3f7b42bd7a2f2217ca5d74b88c4533021086c19a4
-
SSDEEP
3072:QahKyd2n3165+HAsZsJBh6aH1wQwpSbr:QahOpqhvSn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
STOREM~2.EXEpid process 1240 STOREM~2.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
STOREM~2.EXEdescription pid process Token: SeDebugPrivilege 1240 STOREM~2.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1700 wrote to memory of 1240 1700 file.exe STOREM~2.EXE PID 1700 wrote to memory of 1240 1700 file.exe STOREM~2.EXE PID 1700 wrote to memory of 1240 1700 file.exe STOREM~2.EXE PID 1700 wrote to memory of 1240 1700 file.exe STOREM~2.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXEFilesize
343.3MB
MD50ba3f7a23e80b0421bc417a03d879f39
SHA15b4e28240a57e7c6a8ce15888df1c495910fe4f4
SHA2567bb69f98d77ca7609c10b9a0ab1ce32be2e26b160413203d5335f65c1bc8ee72
SHA51209c00bb95358bdbfd94d386b417513d50bee4e2f5da61a20f60fc1e4e554abd47a38d347c07a85c10bb97b9698b2e3bbcc331790f24076e51dc79e71339164ed
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXEFilesize
343.3MB
MD50ba3f7a23e80b0421bc417a03d879f39
SHA15b4e28240a57e7c6a8ce15888df1c495910fe4f4
SHA2567bb69f98d77ca7609c10b9a0ab1ce32be2e26b160413203d5335f65c1bc8ee72
SHA51209c00bb95358bdbfd94d386b417513d50bee4e2f5da61a20f60fc1e4e554abd47a38d347c07a85c10bb97b9698b2e3bbcc331790f24076e51dc79e71339164ed
-
memory/1240-54-0x0000000000000000-mapping.dmp
-
memory/1240-57-0x0000000001220000-0x0000000001228000-memory.dmpFilesize
32KB
-
memory/1240-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB