e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc

Analysis

max time kernel
112s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe
Size

225KB
MD5

a1108307960898729aded1f2942b3f89
SHA1

b6646a1350b8b6182ebd303ac6d357828932f530
SHA256

e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc
SHA512

451fc2a899b9fa4004decebb155f16bde864f51af852eca6bfa452f572325deffb4d0384243d01ac97b56f34ca302c95ae69838ba26fa04c25a4a5088936874f
SSDEEP

6144:8tYftLCuROIR54m4st8sBLNImwpZyN90uE:8tY5CuUu/4UxN4y90

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4504	Calc64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4504	Calc64.exe
4504	Calc64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4504	4444	e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe	79
PID 4444 wrote to memory of 4504	4444	e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe	79

C:\Users\Admin\AppData\Local\Temp\e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe
"C:\Users\Admin\AppData\Local\Temp\e6c2692956a537d547f546033f64931f841fb76761394fbd44926edac241cadc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calc64.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calc64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calc64.exe

Filesize
47KB

MD5
d72e08b67d46cb681ccf1dcba5204c5c

SHA1
b4045f23deb6ab6152afe88592a46661e3612d2e

SHA256
32909c29d964a2fbf6919e609fdabfae919163abec3cf9c421f69c4d6a6091a6

SHA512
aa837e6f63c51b9f66ff55fc49076a658251f9b0fdd8be1e5d9ba5462c1e336d9ce4784caebf06e582f55012e8944124a4a6116d9e17b0473dcc1eb66d010699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calc64.exe

Filesize
47KB

MD5
d72e08b67d46cb681ccf1dcba5204c5c

SHA1
b4045f23deb6ab6152afe88592a46661e3612d2e

SHA256
32909c29d964a2fbf6919e609fdabfae919163abec3cf9c421f69c4d6a6091a6

SHA512
aa837e6f63c51b9f66ff55fc49076a658251f9b0fdd8be1e5d9ba5462c1e336d9ce4784caebf06e582f55012e8944124a4a6116d9e17b0473dcc1eb66d010699

Download Submit
memory/4444-132-0x0000000100000000-0x0000000100061000-memory.dmp

Filesize
388KB

Download
memory/4444-136-0x0000000100000000-0x0000000100061000-memory.dmp

Filesize
388KB

Download