314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

2ad4efa6bd88630d2a3a61b1898cd62f
SHA1

e5b869841b26fbb54b9e94668b3017face715581
SHA256

314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d
SHA512

2df531a6634c0ecd3448b5369507b2f9735f651cfd932ec13140521154bcdbaaf03d76f82fc6e61cec669ab58cc06ef04d349f9b2a2c604a00eeeaf59e6b413c
SSDEEP

24576:X9ERWaeW0rxk6fIAkiWOurxoETjpoLIrDoS:X9EwW8xkVQvuloETjGLIrDoS

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1164 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

580 powershell.exe
580 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 580 powershell.exe

pid	process
1164	PING.EXE

pid	process
580	powershell.exe
580	powershell.exe

description	pid	process
Token: SeDebugPrivilege	580	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

file.execmd.execmd.exe

description	pid	process	target process
PID 1900 wrote to memory of 1388	1900	file.exe	waitfor.exe
PID 1900 wrote to memory of 1388	1900	file.exe	waitfor.exe
PID 1900 wrote to memory of 1388	1900	file.exe	waitfor.exe
PID 1900 wrote to memory of 1388	1900	file.exe	waitfor.exe
PID 1900 wrote to memory of 2008	1900	file.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	file.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	file.exe	cmd.exe
PID 1900 wrote to memory of 2008	1900	file.exe	cmd.exe
PID 2008 wrote to memory of 860	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 860	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 860	2008	cmd.exe	cmd.exe
PID 2008 wrote to memory of 860	2008	cmd.exe	cmd.exe
PID 860 wrote to memory of 580	860	cmd.exe	powershell.exe
PID 860 wrote to memory of 580	860	cmd.exe	powershell.exe
PID 860 wrote to memory of 580	860	cmd.exe	powershell.exe
PID 860 wrote to memory of 580	860	cmd.exe	powershell.exe
PID 2008 wrote to memory of 1164	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1164	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1164	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1164	2008	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\waitfor.exe
waitfor /???????
2⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Operational.xltm & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Operational.xltm

Filesize
12KB

MD5
58f102665d0ba1ef5c800935468ff278

SHA1
3eee4e7eb76cbe94122a6a854901304c8212a11f

SHA256
1a70c59886d8ac7c2b783c644fa83c32b4f08af563da6b9c1d501d8f8a0e5c5b

SHA512
f5dd4ef83e61b78e345f8fea42eca74359131c5fc235125fee8371f3b5a9a07f95dc756728470f7f118e050aaf502993149f13e06273448194a3f4279f7d8387

Download Submit
memory/580-58-0x0000000000000000-mapping.dmp

Download
memory/580-59-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/580-60-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/580-61-0x0000000074080000-0x000000007462B000-memory.dmp

Filesize
5.7MB

Download
memory/860-57-0x0000000000000000-mapping.dmp

Download
memory/1164-62-0x0000000000000000-mapping.dmp

Download
memory/1388-54-0x0000000000000000-mapping.dmp

Download
memory/2008-55-0x0000000000000000-mapping.dmp

Download