aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7

Analysis

max time kernel
92s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe
Size

666KB
MD5

a62a416dfb53940772b13514b800b4f1
SHA1

8beef1d2a8d293296dbc8de83c61bdcc823df432
SHA256

aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7
SHA512

f8d691fa08a6f473a3cb30212d10d1c305c0677e8701f1b4b6d8de48462f13029af796959de7eac2367660ad4fba2657775df7fa4f7b165346725204cbc204a4
SSDEEP

6144:XKwLo718B2JZCMFUer72TYu1TRsWCyN04dWHPP6E/blw6PS/69ARcx03/UXXn/Hk:jLopUDTRATllS/0xkMXn/dYye

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	VCECrack.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1236	1080	aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe	78
PID 1080 wrote to memory of 1236	1080	aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe	78
PID 1080 wrote to memory of 1236	1080	aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe	78

C:\Users\Admin\AppData\Local\Temp\aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe
"C:\Users\Admin\AppData\Local\Temp\aecfaee5f12440584414d6977bc11e6a694c85609dac4ce139cd73836a3f2ec7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCECrack.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCECrack.exe
  2⤵
  - Executes dropped EXE
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCECrack.exe

Filesize
742KB

MD5
42d69e581683ab16751180e2b93e6baa

SHA1
51d4131f0dfdbea4acf9d46ad85d05d214ad112e

SHA256
5c4c16134b89d1686d6fb7a50437b30b1cf6901bf2c2b64555d5eeaaf0be10a4

SHA512
e7d8882fc1609f18e9a6f3df7ba978b9d7b4631f42071167d0013a967761a2b60b7a0518a7fc238dd2d9476a1206da09bd401d8541f504880a08cabb9d7e5f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCECrack.exe

Filesize
742KB

MD5
42d69e581683ab16751180e2b93e6baa

SHA1
51d4131f0dfdbea4acf9d46ad85d05d214ad112e

SHA256
5c4c16134b89d1686d6fb7a50437b30b1cf6901bf2c2b64555d5eeaaf0be10a4

SHA512
e7d8882fc1609f18e9a6f3df7ba978b9d7b4631f42071167d0013a967761a2b60b7a0518a7fc238dd2d9476a1206da09bd401d8541f504880a08cabb9d7e5f70

Download Submit
memory/1236-135-0x00000000004C0000-0x0000000000582000-memory.dmp

Filesize
776KB

Download
memory/1236-136-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/1236-137-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/1236-138-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/1236-139-0x0000000004FC0000-0x0000000004FCA000-memory.dmp

Filesize
40KB

Download
memory/1236-140-0x0000000005250000-0x00000000052A6000-memory.dmp

Filesize
344KB

Download