29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

Resubmissions

29-10-2022 00:00

221029-aal9vacfh9 10

28-10-2022 23:02

221028-21clwabecj 8

Analysis

max time kernel
44s
max time network
51s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-10-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Size

785KB
MD5

d6e9e86e003086022805cd59d1a406bd
SHA1

514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea
SHA256

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1
SHA512

bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9
SSDEEP

1536:Wrae78zjORCDGwfdCSog01313os5gP2DKPJY8rPf128M+ZtgTr2u92PUmqIf0O0Q:uahKyd2n31x5BuIZ7T9vGPr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4692	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4692	5000	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	66
PID 5000 wrote to memory of 4692	5000	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	66
PID 5000 wrote to memory of 4692	5000	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	66

C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
"C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
    3⤵
    PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
74KB

MD5
ed35c06f0a8ce0cbc6ffd38e9315fefc

SHA1
880d62bc2f19a8447a6112fd615ca5380e0761ab

SHA256
410517bd2326835d6e587facae12f63f3cd9fa1355f535a2786ee1c9175c744a

SHA512
fc4cf6f115e5d2859decc262fbd124886fff4ca4c06997cba68714349742f0f8bf20c822e9f5387d406356a2e967c690b99c996ef0d25b66d66a203c87efa66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
54KB

MD5
c04da4136cb1d601dbc53afc311d63d9

SHA1
68f10c0d84d24f33a5c1f7d5c63d558ea4192b16

SHA256
54f82872c06ed5e88fc7ddb0e0f012226a4e14bd93f4a33e48179f671644ff70

SHA512
a4c47ea08749bfece3b572d4ffecf666e0b4511d7a901133290397fdf3d975ae2642c3ba49b71b2c55bf463fe7ee82b612d11212b6a12315089e91b08ef21e5e

Download Submit
memory/3996-252-0x0000000004B10000-0x0000000004B46000-memory.dmp

Filesize
216KB

Download
memory/3996-257-0x0000000007300000-0x0000000007928000-memory.dmp

Filesize
6.2MB

Download
memory/3996-296-0x0000000009B40000-0x000000000A1B8000-memory.dmp

Filesize
6.5MB

Download
memory/3996-297-0x0000000009090000-0x00000000090AA000-memory.dmp

Filesize
104KB

Download
memory/3996-285-0x0000000008220000-0x0000000008296000-memory.dmp

Filesize
472KB

Download
memory/3996-281-0x00000000084D0000-0x000000000851B000-memory.dmp

Filesize
300KB

Download
memory/3996-280-0x0000000007B60000-0x0000000007B7C000-memory.dmp

Filesize
112KB

Download
memory/3996-276-0x0000000007930000-0x0000000007996000-memory.dmp

Filesize
408KB

Download
memory/3996-277-0x00000000079A0000-0x0000000007A06000-memory.dmp

Filesize
408KB

Download
memory/4692-161-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-169-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-128-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-139-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-143-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-146-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-147-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-148-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-149-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-145-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-150-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-151-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-144-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-142-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-152-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-141-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-153-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-140-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-156-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-157-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-155-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/4692-154-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-158-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-138-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-137-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-159-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-160-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-127-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-132-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-125-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-124-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-164-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-167-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-168-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-170-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-131-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-171-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-166-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-173-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-174-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-175-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-176-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-172-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-177-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-180-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-184-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-185-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-186-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-183-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-182-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-181-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-179-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-178-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-165-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-163-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-162-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-123-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-121-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-200-0x00000000092C0000-0x0000000009388000-memory.dmp

Filesize
800KB

Download
memory/4692-133-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-134-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-136-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-135-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-130-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-126-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-122-0x0000000076E80000-0x000000007700E000-memory.dmp

Filesize
1.6MB

Download
memory/4692-201-0x0000000009400000-0x0000000009492000-memory.dmp

Filesize
584KB

Download
memory/4692-202-0x0000000009490000-0x00000000094B2000-memory.dmp

Filesize
136KB

Download
memory/4692-204-0x00000000094C0000-0x0000000009810000-memory.dmp

Filesize
3.3MB

Download