Analysis
-
max time kernel
191s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
Resource
win10v2004-20221111-en
General
-
Target
7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
-
Size
289KB
-
MD5
7c5076f4818ad83b85c386d14a10a894
-
SHA1
506aaae1de0316b8b20b94905f35a582ef659465
-
SHA256
7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
-
SHA512
0a1d4a9a40af1b25db0ff643cc271e1dd0edb07076fa166b20c60413bde2976fa4c83fc9048de60c60d47ba222f38c0c1e1665fd81367b862bead270331def80
-
SSDEEP
6144:4WqA/eRFp0yN90QE6KntvLfggDsMLDwP:R/eay904+xLfggDFDwP
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4376 Explorer.exe 1336 TRADEH~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4376 Explorer.exe 1336 TRADEH~1.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1532 wrote to memory of 4376 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 81 PID 1532 wrote to memory of 4376 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 81 PID 1532 wrote to memory of 4376 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 81 PID 1532 wrote to memory of 1336 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 82 PID 1532 wrote to memory of 1336 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 82 PID 1532 wrote to memory of 1336 1532 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe"C:\Users\Admin\AppData\Local\Temp\7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRADEH~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TRADEH~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5b0edea124678797b44fed1538f11ca24
SHA14c5bbc2f697db486257eaba821ade6839e4919f2
SHA25626360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c
SHA512aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad
-
Filesize
165KB
MD5b0edea124678797b44fed1538f11ca24
SHA14c5bbc2f697db486257eaba821ade6839e4919f2
SHA25626360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c
SHA512aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad
-
Filesize
132KB
MD50d865f10d62629b3770236c44ed5b550
SHA19b811bde849a849531949b326459b8f21f67b5c9
SHA25688ae7fcedc0d8bd1ced63a5757c31823843c02b4eaf7ae2b664f0236b5f579b0
SHA512f95f8e4e5e108ea15d01bf62c3fedf9ddfb957bb594cb4f337bdaa858765973c24accbb4c039ed44ddd2042349d9b43fde681e975d63f56cbe66691f9159c900
-
Filesize
132KB
MD50d865f10d62629b3770236c44ed5b550
SHA19b811bde849a849531949b326459b8f21f67b5c9
SHA25688ae7fcedc0d8bd1ced63a5757c31823843c02b4eaf7ae2b664f0236b5f579b0
SHA512f95f8e4e5e108ea15d01bf62c3fedf9ddfb957bb594cb4f337bdaa858765973c24accbb4c039ed44ddd2042349d9b43fde681e975d63f56cbe66691f9159c900