29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1

Resubmissions

29-10-2022 00:00

221029-aal9vacfh9 10

28-10-2022 23:02

221028-21clwabecj 8

Analysis

max time kernel
277s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Size

785KB
MD5

d6e9e86e003086022805cd59d1a406bd
SHA1

514a4aaa1d1a0577fb1f84ff5d36cba8ea9619ea
SHA256

29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1
SHA512

bff9b88db4187f31f1aa4f405d676df909eacf5ad48a9f413278e2fdc656e735c0ab265f0f4cdc87b8885d15109ffc7cfca071faca9352988ec2a6f0afb36ac9
SSDEEP

1536:Wrae78zjORCDGwfdCSog01313os5gP2DKPJY8rPf128M+ZtgTr2u92PUmqIf0O0Q:uahKyd2n31x5BuIZ7T9vGPr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	SETUP_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	SETUP_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27
PID 1568 wrote to memory of 2044	1568	29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe	27

C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe
"C:\Users\Admin\AppData\Local\Temp\29a808de2d82612a27d0ffb5a6505a90e0884d8ea332a282847d7da04f52b5f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
1.4MB

MD5
135a87df511d1768d71fdfec241af5c1

SHA1
282da349a67b4f5a31710c9b8ebb378eb3b184a2

SHA256
354a0515bd928885a18f6da7a8e485101dea3b99c2d9ebad43ad44b647229d80

SHA512
45850aae717df15924a902fa40d7f5833aa8256af41d0cb9ac8930c50c09fffa210329f1a48dfa712b9579b2b4859f45dae9962cee038f9a811ab973a0e0a0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
80KB

MD5
b8ad5e2a3d617c51b50575a0d53a10e9

SHA1
b450c4821b1723e9c5153cce07100bc5b8b169e9

SHA256
a5488d6211c3724ba37ee61d23c7e556d379ba9bfd921a27e993fccda17e8a14

SHA512
3b44751eb1eed5afbcb40f36446a19925a772412c52a0e413abab380a2c44675cc4e9984b4a57335f16822b0fd688b86ba4cc707859eada00cd461614bf5c2a8

Download Submit
memory/2044-57-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2044-58-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download