fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe
Size

233KB
MD5

d25a10bc8ff997ed253ade1bf13bf3f6
SHA1

ceba6c9562488f332dbb59386fa972a35b0d8a23
SHA256

fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62
SHA512

4435da547ee83d63aff36144619fb1b2205f85133e46c9c8f4be6476d3622d0fdef32cb220b7c426a8d8d817f59ecc900c0eca9890089a924dd48be910e7525d
SSDEEP

3072:RzW+DiC9iLo+GnHD5GWp1icKAArDZz4N9GhbkrNEk14B3k+6UZ47hG2CYTbcPNIn:sKwLo7Bp0yN90QEjB39lSdGCTINy+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4832	IDMPatch.exe

Loads dropped DLL 1 IoCs

pid	Process
4832	IDMPatch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4832	4904	fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe	82
PID 4904 wrote to memory of 4832	4904	fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe	82
PID 4904 wrote to memory of 4832	4904	fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe	82

C:\Users\Admin\AppData\Local\Temp\fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe
"C:\Users\Admin\AppData\Local\Temp\fce4a89da16de7d490cded6155ab80728ed00469579c93ca722869f520cfec62.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMPatch.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMPatch.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMPatch.exe

Filesize
62KB

MD5
acae801806c4d74947c22971f40553c2

SHA1
841389b7bfb8595eb4e5c466849e60941b7e10b7

SHA256
c53401acfab98052b8139f8257e1f9eeb8a8c987555ab8abd7b4e08fbc5aa071

SHA512
5e064aee885dcb4735e1979ead2b88f0ca2e215d42bb8b94706be1cf6b1e04d9d0a600a02a7c11e73185e71ada36e6d069a4e2891235e7ec0d4a7f932979c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IDMPatch.exe

Filesize
62KB

MD5
acae801806c4d74947c22971f40553c2

SHA1
841389b7bfb8595eb4e5c466849e60941b7e10b7

SHA256
c53401acfab98052b8139f8257e1f9eeb8a8c987555ab8abd7b4e08fbc5aa071

SHA512
5e064aee885dcb4735e1979ead2b88f0ca2e215d42bb8b94706be1cf6b1e04d9d0a600a02a7c11e73185e71ada36e6d069a4e2891235e7ec0d4a7f932979c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
56KB

MD5
7282ed684488bef91a13c746208ec3de

SHA1
50ae90c20efa9353ea4333f648f16f3d0e524323

SHA256
feef6e3e8aad162f32c65b7a027921b6bdc2ca489811841083db2a374f2be2b4

SHA512
f431ceeb24e76d12c2ed1ee89f2ade3ac66367e90e0eca0120b807f5726ef2b7f5f7843ec1fbfce99a82fe0b9ee086caa72804adc18d847cad94eea1fe904543

Download Submit
memory/4832-136-0x0000000075350000-0x0000000075376000-memory.dmp

Filesize
152KB

Download