e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

Analysis

max time kernel
186s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe
Size

865KB
MD5

0c6a3986d7eb12548f97fe6fa04fe5cf
SHA1

8fa0579ea73fa3732e6c1c5c39dec786e0441274
SHA256

e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982
SHA512

99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57
SSDEEP

24576:t3twknYSNLhD9soQ03roAEO64icfTxmaL:t3twknYSzuoxNE94iaTxB

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
656	cnuekg493i7maayuajlzpq.exe
1888	rxnitknodn.exe
1356	hzuxonkc.exe

Loads dropped DLL 6 IoCs

pid	Process
524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe
524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe
656	cnuekg493i7maayuajlzpq.exe
656	cnuekg493i7maayuajlzpq.exe
1888	rxnitknodn.exe
1888	rxnitknodn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tracking Video Alerts Profile Brightness = "C:\\Users\\Admin\\Local Settings\\Application Data\\rxnitknodn.exe"	cnuekg493i7maayuajlzpq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	rxnitknodn.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1888	rxnitknodn.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe
1356	hzuxonkc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 656	524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe	27
PID 524 wrote to memory of 656	524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe	27
PID 524 wrote to memory of 656	524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe	27
PID 524 wrote to memory of 656	524	e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe	27
PID 656 wrote to memory of 1888	656	cnuekg493i7maayuajlzpq.exe	28
PID 656 wrote to memory of 1888	656	cnuekg493i7maayuajlzpq.exe	28
PID 656 wrote to memory of 1888	656	cnuekg493i7maayuajlzpq.exe	28
PID 656 wrote to memory of 1888	656	cnuekg493i7maayuajlzpq.exe	28
PID 1888 wrote to memory of 1356	1888	rxnitknodn.exe	29
PID 1888 wrote to memory of 1356	1888	rxnitknodn.exe	29
PID 1888 wrote to memory of 1356	1888	rxnitknodn.exe	29
PID 1888 wrote to memory of 1356	1888	rxnitknodn.exe	29

C:\Users\Admin\AppData\Local\Temp\e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe
"C:\Users\Admin\AppData\Local\Temp\e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\cnuekg493i7maayuajlzpq.exe
  "C:\Users\Admin\AppData\Local\Temp\cnuekg493i7maayuajlzpq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Users\Admin\Local Settings\Application Data\rxnitknodn.exe
    "C:\Users\Admin\Local Settings\Application Data\rxnitknodn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\Local Settings\Application Data\hzuxonkc.exe
      WATCHDOGPROC "c:\users\admin\local settings\application data\rxnitknodn.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cnuekg493i7maayuajlzpq.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
C:\Users\Admin\AppData\Local\hzuxonkc.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
C:\Users\Admin\AppData\Local\rxnitknodn.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
C:\Users\Admin\Local Settings\Application Data\evhigaltlwice\etc

Filesize
10B

MD5
91f52d61de0e9c6832c203e7d9e3bcfe

SHA1
8f016823d4bcc7d84be0c4c4ee7a11acfa2888db

SHA256
a303a5ae72d437463339af0a63899d1ca83140cf87e53fa5d66d95f248bef65f

SHA512
76b057e325c52b067ae8338ada5b2a57036cb2ee0809061a472cf3553d0fdbbb11c9646f83254aa93543c22954ced673df5edd5f50e3d8e8a2159f9fda9bb8b9

Download Submit
C:\Users\Admin\Local Settings\Application Data\evhigaltlwice\rng

Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Users\Admin\Local Settings\Application Data\evhigaltlwice\tst

Filesize
10B

MD5
af75c8013a013397e3be6ac6da9c7042

SHA1
cb8faa84bced34ba92d35de5877e4d9a11e5f778

SHA256
f2cd5f3cc79b915a269cc2c70499826c4a7df0c540f5fa5ed6e60d13ed1e4b6c

SHA512
d7a58e5ac8d222d08159c4f6285e60e67bc58d433a9208a2a34c70a3005aae08cc9b1144438fe809084c88dc4282d7256c1d929ac40d4b782907bed5fc2a1ff7

Download Submit
C:\Users\Admin\Local Settings\Application Data\evhigaltlwice\tst

Filesize
10B

MD5
af75c8013a013397e3be6ac6da9c7042

SHA1
cb8faa84bced34ba92d35de5877e4d9a11e5f778

SHA256
f2cd5f3cc79b915a269cc2c70499826c4a7df0c540f5fa5ed6e60d13ed1e4b6c

SHA512
d7a58e5ac8d222d08159c4f6285e60e67bc58d433a9208a2a34c70a3005aae08cc9b1144438fe809084c88dc4282d7256c1d929ac40d4b782907bed5fc2a1ff7

Download Submit
C:\Users\Admin\Local Settings\Application Data\evhigaltlwice\tst

Filesize
10B

MD5
af75c8013a013397e3be6ac6da9c7042

SHA1
cb8faa84bced34ba92d35de5877e4d9a11e5f778

SHA256
f2cd5f3cc79b915a269cc2c70499826c4a7df0c540f5fa5ed6e60d13ed1e4b6c

SHA512
d7a58e5ac8d222d08159c4f6285e60e67bc58d433a9208a2a34c70a3005aae08cc9b1144438fe809084c88dc4282d7256c1d929ac40d4b782907bed5fc2a1ff7

Download Submit
\??\c:\users\admin\appdata\local\temp\cnuekg493i7maayuajlzpq.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\??\c:\users\admin\local settings\application data\rxnitknodn.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\Temp\cnuekg493i7maayuajlzpq.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\Temp\cnuekg493i7maayuajlzpq.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\hzuxonkc.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\hzuxonkc.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\rxnitknodn.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
\Users\Admin\AppData\Local\rxnitknodn.exe

Filesize
865KB

MD5
0c6a3986d7eb12548f97fe6fa04fe5cf

SHA1
8fa0579ea73fa3732e6c1c5c39dec786e0441274

SHA256
e462e1df4943897fde6d39c74f225eae5f1ad43969cf917061d5b81ebfab6982

SHA512
99bf529bbee6f9450045aa8c3d88d032f92df210540d8d8c506722672da47c6ceb90bce47446f9301594e624b3f9247e5c4fa8f5a6c902a4db2935045a855a57

Download Submit
memory/524-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download