828e97849947eac4a9ca96aade810bc90564831d648a6b16c0c7902e465e6b74

Analysis

max time kernel
44s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ICONCH~1.exe
Size

1.1MB
MD5

714fec58517cf8ec758106f9e92cb4cd
SHA1

b1b03ba2dd2f94ce07b055854687fe5853324309
SHA256

a4ec43ad30c758d0a1737edcedd29934a442e0dc8b5ff95cb593b150becfad82
SHA512

7eba6963e166e92992208587e11f20992f6166101708dee47282e405a393002266e098f6e7d2aade9c5edd6887c8192bf4eac3f5f797134beef334c81f459c3a
SSDEEP

24576:2mQcUXo8ZwC+trY/dESAMtsYW3z6Hgc5OD+3zF3yiRFUh93AFI/eKwUoWHw:xw7vQrYVftPDOD8zg8Fw3iI/eRWQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Install.exe

pid process

844 Install.exe
Loads dropped DLL 4 IoCs

Processes:

ICONCH~1.exeInstall.exe

pid process

1252 ICONCH~1.exe
844 Install.exe
844 Install.exe
844 Install.exe

pid	process
844	Install.exe

pid	process
1252	ICONCH~1.exe
844	Install.exe
844	Install.exe
844	Install.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ICONCH~1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ICONCH~1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ICONCH~1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ICONCH~1.exe

description	pid	process	target process
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe
PID 1252 wrote to memory of 844	1252	ICONCH~1.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\ICONCH~1.exe
"C:\Users\Admin\AppData\Local\Temp\ICONCH~1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
Filesize
144KB

MD5
b2dbe169afe0e6060a4b85a9813a6f23

SHA1
9a3ba3bb20bc3a240d4e1bd1c0758c4f50001b6f

SHA256
539a1d4bd44fb87e6a1b78393206e923b33b7f6e4df6dc5a2be93757de8f119b

SHA512
a291c86342d2f44e6bd8113f849ce1773e53f130c47f75b67f298e19d178d31b01a0f75e02a615cd639d261c44e55aa54778769d38ffc59f0086352c6f648116

Download Submit
memory/844-56-0x0000000000000000-mapping.dmp

Download
memory/1252-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download