5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe
Size

308KB
MD5

7107d96fb516d1f15e7404702d52f63f
SHA1

2014aa810011d45c0d76df81be2846fa71ed0ff2
SHA256

5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b
SHA512

1f6e2ff39d013fc144fca067cab2bbca24805c11ee4e9b97e9de20fcf1559ed3c7a5bbcc1e0933270275cfc35bfdf3b97d96b903bf729535c3603d8cde92ba3d
SSDEEP

6144:TpUcP+wbqVe0xdDz2N2PENHpwGX7xifrQkO2iZN1ryTgk:TpLJb0ddDNEHws7xerQk1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
888	itexim.exe

Deletes itself 1 IoCs

pid	Process
1204	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe
1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	itexim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Itexim = "C:\\Users\\Admin\\AppData\\Roaming\\Arekuc\\itexim.exe"	itexim.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe
888	itexim.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 888	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	27
PID 1768 wrote to memory of 888	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	27
PID 1768 wrote to memory of 888	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	27
PID 1768 wrote to memory of 888	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	27
PID 888 wrote to memory of 1236	888	itexim.exe	10
PID 888 wrote to memory of 1236	888	itexim.exe	10
PID 888 wrote to memory of 1236	888	itexim.exe	10
PID 888 wrote to memory of 1236	888	itexim.exe	10
PID 888 wrote to memory of 1236	888	itexim.exe	10
PID 888 wrote to memory of 1336	888	itexim.exe	17
PID 888 wrote to memory of 1336	888	itexim.exe	17
PID 888 wrote to memory of 1336	888	itexim.exe	17
PID 888 wrote to memory of 1336	888	itexim.exe	17
PID 888 wrote to memory of 1336	888	itexim.exe	17
PID 888 wrote to memory of 1388	888	itexim.exe	16
PID 888 wrote to memory of 1388	888	itexim.exe	16
PID 888 wrote to memory of 1388	888	itexim.exe	16
PID 888 wrote to memory of 1388	888	itexim.exe	16
PID 888 wrote to memory of 1388	888	itexim.exe	16
PID 888 wrote to memory of 1768	888	itexim.exe	26
PID 888 wrote to memory of 1768	888	itexim.exe	26
PID 888 wrote to memory of 1768	888	itexim.exe	26
PID 888 wrote to memory of 1768	888	itexim.exe	26
PID 888 wrote to memory of 1768	888	itexim.exe	26
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28
PID 1768 wrote to memory of 1204	1768	5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe
  "C:\Users\Admin\AppData\Local\Temp\5d40fe274e8acba14d13483ececb1e7e343a61d3fa021d2c4a0d023b390b253b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\Arekuc\itexim.exe
    "C:\Users\Admin\AppData\Roaming\Arekuc\itexim.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\WSL9AFC.bat"
    3⤵
    - Deletes itself
    PID:1204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WSL9AFC.bat

Filesize
303B

MD5
90c6689ad8e8afef960888cb1397974a

SHA1
e8ecc13b36ee0515f84dbd0f6b0ecb4fcf267eb0

SHA256
6b04748169181f07beba5bed83e463fcf7213c294fa5268bfc9000c375bd0250

SHA512
a18a8ec88189a7f312ccd8de7c13dca92f3373b7c05b471ebefe5d48d65f2faa74130e46ca9ea0dcac30f63d81281091c8e63260df3c6db8603ce8a5819f0642

Download Submit
C:\Users\Admin\AppData\Roaming\Arekuc\itexim.exe

Filesize
308KB

MD5
6ae770e18f0c2901bdf177c239bcd83f

SHA1
b9d12c0c5684b49707581cae73faef38bbc755d1

SHA256
f23cf56a953f1db0ebeedb26648ba4f93c216526ee6da2c3b1229050d04b1c72

SHA512
54eab2898d372716687d067d1796410ce1979363edaa675c7d2868fe94b5879e1302a96368ac0314b1c61dcb3ea1f7adf49d1496b207b60c53b32d8f7ec1af47

Download Submit
C:\Users\Admin\AppData\Roaming\Arekuc\itexim.exe

Filesize
308KB

MD5
6ae770e18f0c2901bdf177c239bcd83f

SHA1
b9d12c0c5684b49707581cae73faef38bbc755d1

SHA256
f23cf56a953f1db0ebeedb26648ba4f93c216526ee6da2c3b1229050d04b1c72

SHA512
54eab2898d372716687d067d1796410ce1979363edaa675c7d2868fe94b5879e1302a96368ac0314b1c61dcb3ea1f7adf49d1496b207b60c53b32d8f7ec1af47

Download Submit
\Users\Admin\AppData\Roaming\Arekuc\itexim.exe

Filesize
308KB

MD5
6ae770e18f0c2901bdf177c239bcd83f

SHA1
b9d12c0c5684b49707581cae73faef38bbc755d1

SHA256
f23cf56a953f1db0ebeedb26648ba4f93c216526ee6da2c3b1229050d04b1c72

SHA512
54eab2898d372716687d067d1796410ce1979363edaa675c7d2868fe94b5879e1302a96368ac0314b1c61dcb3ea1f7adf49d1496b207b60c53b32d8f7ec1af47

Download Submit
\Users\Admin\AppData\Roaming\Arekuc\itexim.exe

Filesize
308KB

MD5
6ae770e18f0c2901bdf177c239bcd83f

SHA1
b9d12c0c5684b49707581cae73faef38bbc755d1

SHA256
f23cf56a953f1db0ebeedb26648ba4f93c216526ee6da2c3b1229050d04b1c72

SHA512
54eab2898d372716687d067d1796410ce1979363edaa675c7d2868fe94b5879e1302a96368ac0314b1c61dcb3ea1f7adf49d1496b207b60c53b32d8f7ec1af47

Download Submit
memory/888-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/888-59-0x0000000000000000-mapping.dmp

Download
memory/1204-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-97-0x00000000000B0000-0x00000000000F9000-memory.dmp

Filesize
292KB

Download
memory/1204-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-113-0x00000000000B0000-0x00000000000F9000-memory.dmp

Filesize
292KB

Download
memory/1204-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1204-102-0x00000000000E2ED8-mapping.dmp

Download
memory/1204-100-0x00000000000B0000-0x00000000000F9000-memory.dmp

Filesize
292KB

Download
memory/1204-101-0x00000000000B0000-0x00000000000F9000-memory.dmp

Filesize
292KB

Download
memory/1204-99-0x00000000000B0000-0x00000000000F9000-memory.dmp

Filesize
292KB

Download
memory/1236-68-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1236-65-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1236-67-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1236-70-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1236-69-0x0000000000410000-0x0000000000459000-memory.dmp

Filesize
292KB

Download
memory/1336-76-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1336-73-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1336-74-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1336-75-0x0000000001BF0000-0x0000000001C39000-memory.dmp

Filesize
292KB

Download
memory/1388-81-0x0000000002A80000-0x0000000002AC9000-memory.dmp

Filesize
292KB

Download
memory/1388-82-0x0000000002A80000-0x0000000002AC9000-memory.dmp

Filesize
292KB

Download
memory/1388-80-0x0000000002A80000-0x0000000002AC9000-memory.dmp

Filesize
292KB

Download
memory/1388-79-0x0000000002A80000-0x0000000002AC9000-memory.dmp

Filesize
292KB

Download
memory/1768-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-103-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1768-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-86-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1768-85-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1768-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1768-87-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1768-88-0x0000000001BE0000-0x0000000001C29000-memory.dmp

Filesize
292KB

Download
memory/1768-56-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download