49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac

Resubmissions

11-11-2022 08:21

221111-j9gyvacehr 8

24-10-2022 18:36

221024-w8zhqaaag6 10

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-10-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

603KB
MD5

cb90f4dd9eb3424268b20a1581668acd
SHA1

136a226e0f56c7bf53822ab116ea4304b8a636e6
SHA256

49d6552ae5c5027ce1e68edee2438564b50ddc384276fd97360c92503771d3ac
SHA512

43ef96a52dfe7018d7fd9315c428fb1b368e92357585f57bd405260d5e5d9f498e423d0a3d5de1ef300983f3f7b42bd7a2f2217ca5d74b88c4533021086c19a4
SSDEEP

3072:QahKyd2n3165+HAsZsJBh6aH1wQwpSbr:QahOpqhvSn

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

STOREM~2.EXE

pid process

1240 STOREM~2.EXE

pid	process
1240	STOREM~2.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

STOREM~2.EXE

description pid process

Token: SeDebugPrivilege 1240 STOREM~2.EXE

description	pid	process
Token: SeDebugPrivilege	1240	STOREM~2.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	process	target process
PID 1700 wrote to memory of 1240	1700	file.exe	STOREM~2.EXE
PID 1700 wrote to memory of 1240	1700	file.exe	STOREM~2.EXE
PID 1700 wrote to memory of 1240	1700	file.exe	STOREM~2.EXE
PID 1700 wrote to memory of 1240	1700	file.exe	STOREM~2.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXE
Filesize
343.3MB

MD5
0ba3f7a23e80b0421bc417a03d879f39

SHA1
5b4e28240a57e7c6a8ce15888df1c495910fe4f4

SHA256
7bb69f98d77ca7609c10b9a0ab1ce32be2e26b160413203d5335f65c1bc8ee72

SHA512
09c00bb95358bdbfd94d386b417513d50bee4e2f5da61a20f60fc1e4e554abd47a38d347c07a85c10bb97b9698b2e3bbcc331790f24076e51dc79e71339164ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STOREM~2.EXE
Filesize
343.3MB

MD5
0ba3f7a23e80b0421bc417a03d879f39

SHA1
5b4e28240a57e7c6a8ce15888df1c495910fe4f4

SHA256
7bb69f98d77ca7609c10b9a0ab1ce32be2e26b160413203d5335f65c1bc8ee72

SHA512
09c00bb95358bdbfd94d386b417513d50bee4e2f5da61a20f60fc1e4e554abd47a38d347c07a85c10bb97b9698b2e3bbcc331790f24076e51dc79e71339164ed

Download Submit
memory/1240-54-0x0000000000000000-mapping.dmp

Download
memory/1240-57-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/1240-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download