Analysis
-
max time kernel
161s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 11:08
Behavioral task
behavioral1
Sample
be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe
Resource
win10v2004-20220812-en
General
-
Target
be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe
-
Size
56KB
-
MD5
10d602a94df9fb799a28e0b521c996b6
-
SHA1
371eb9a9aa394c39320703de88f824a73fb53a7b
-
SHA256
be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b
-
SHA512
fd75d762545e7c3f65dd0a72a70019fe7decd16d8fb1c4a6cd64d0497d3d325ba3d17e1b2a78e241f8f05e54111c9125e8d39aaab84320dab8cd2b42ecca46d9
-
SSDEEP
768:pUDovscJiOxDb6Dmze7i4Hp/XUKG5kv6suq48DBIquMEx0OCJv49Ue9YAymAqQ10:pao1JfF+hZCrivr2TIJvGUeWDvqQK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2336 D.exe -
resource yara_rule behavioral2/memory/2252-132-0x0000000001000000-0x0000000001018000-memory.dmp upx behavioral2/memory/2252-139-0x0000000001000000-0x0000000001018000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2336 D.exe 2336 D.exe 2336 D.exe 2336 D.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2336 2252 be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe 81 PID 2252 wrote to memory of 2336 2252 be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe 81 PID 2252 wrote to memory of 2336 2252 be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe 81 PID 2336 wrote to memory of 724 2336 D.exe 49 PID 2336 wrote to memory of 724 2336 D.exe 49 PID 2336 wrote to memory of 724 2336 D.exe 49 PID 2336 wrote to memory of 724 2336 D.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe"C:\Users\Admin\AppData\Local\Temp\be1e5d62157b393d3af5e9ccad19cfce4548c41cbc3acfbb5747136ed6420b9b.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD523e9f007ff410b3c40c6e60a9ae871e2
SHA1355deceaa31e93289255621878705086546096fe
SHA25612af6eb089a2f56c5104ebc168897fdc0b6cce22f8ea473e7298b9542c40a7c9
SHA51202946b31ee17de418949aa19590fb55d494c99c25b5d66fde8f5a82618dc5b1e10ca56bfdc99a8e6f68a31b80de0d5da57a3d77e531b36c837254b3d06f153b5
-
Filesize
31KB
MD523e9f007ff410b3c40c6e60a9ae871e2
SHA1355deceaa31e93289255621878705086546096fe
SHA25612af6eb089a2f56c5104ebc168897fdc0b6cce22f8ea473e7298b9542c40a7c9
SHA51202946b31ee17de418949aa19590fb55d494c99c25b5d66fde8f5a82618dc5b1e10ca56bfdc99a8e6f68a31b80de0d5da57a3d77e531b36c837254b3d06f153b5