29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e9e86e003086022805cd59d1a406bd.exe
Size

785KB
MD5

d6e9e86e003086022805cd59d1a406bd
SHA1

514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea
SHA256

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1
SHA512

bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9
SSDEEP

1536:Wrae78zjORCDGwfdCSog01313os5gP2DKPJY8rPf128M+ZtgTr2u92PUmqIf0O0Q:uahKyd2n31x5BuIZ7T9vGPr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	d6e9e86e003086022805cd59d1a406bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d6e9e86e003086022805cd59d1a406bd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27
PID 1996 wrote to memory of 1628	1996	d6e9e86e003086022805cd59d1a406bd.exe	27

C:\Users\Admin\AppData\Local\Temp\d6e9e86e003086022805cd59d1a406bd.exe
"C:\Users\Admin\AppData\Local\Temp\d6e9e86e003086022805cd59d1a406bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
333.8MB

MD5
6adc030eeebd67c41f767f7ff4d7fea0

SHA1
e5d80aff951e4b6df714cb4eb650bafb54e87370

SHA256
b12ba6202ed39313ebef9404fd7513effd5c00d8e3f403fe971a8550843ef5ec

SHA512
9a3c48019d245e2a6e041bd8aa0a477c9f24d5678036a6252d112fe493283e5996ffbdcc7d0c8fdafbe0d636a4d26ae28a1c476222dbabb5ad9893b64e977475

Download Submit
memory/1628-57-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/1628-58-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download