29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

Resubmissions

29-10-2022 00:00

221029-aal9vacfh9 10

28-10-2022 23:02

221028-21clwabecj 8

Analysis

max time kernel
252s
max time network
119s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Size

785KB
MD5

d6e9e86e003086022805cd59d1a406bd
SHA1

514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea
SHA256

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1
SHA512

bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9
SSDEEP

1536:Wrae78zjORCDGwfdCSog01313os5gP2DKPJY8rPf128M+ZtgTr2u92PUmqIf0O0Q:uahKyd2n31x5BuIZ7T9vGPr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28
PID 948 wrote to memory of 1928	948	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	28

C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
"C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
86KB

MD5
c009a03c8fbea5a00d8b6cf2584902a2

SHA1
0f8d9602899268a21e2f0abc9b68bb85a173bca1

SHA256
f26a78827a3622778ced6fd8d99a1d0ac4bc76d6327f67d33dc23f082d2a22fb

SHA512
b3902cb153308b618f58016819ee20ce5ff635e51c860165910430f0ba6caa591dab240333ace77b35352399e73a30e69765c1867d1906a20c766302ec212ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
100KB

MD5
01dfd2b0544d126875e0bc4e6f70553e

SHA1
76584eba0fff35bd7e4acb78d7b07c3cd0cffbe2

SHA256
58b1274002fd32890d28fc679f57d376c2ec496a77ef58c2560bab99c2266e55

SHA512
7b6ac61d2ba8cd74cc6639636dcc44d9ae34461b1ba0a98bb614761171185c742294aeab0f9c087e15141c4bc20571ce4a8360fcb5d0c3a0146e00eebf0a90ea

Download Submit
memory/1928-57-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/1928-58-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download