5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97

Analysis

max time kernel
42s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
Size

276KB
MD5

b2e03aa10955aa1dfa6dc55bbebd211f
SHA1

cf9baf7093587a9a6c658f737512a1d86d17d02d
SHA256

5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97
SHA512

2a9f2b4feb7475bd91345cd64bc101230aa4786a063f9ef13e422dceac4d933261e8b925d89fa074a6a4f129912eff15b4420964c39fc1812ed22510e30063e4
SSDEEP

6144:djbeih/ghyYEsQvh6ym7cicArcQeNAPrmghm2c5:du9asQvFril+ATmgK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1208	xuahaid.exe
660	xxxx.exe

Loads dropped DLL 6 IoCs

pid	Process
1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
1208	xuahaid.exe
1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
660	xxxx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	xxxx.exe
660	xxxx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1208	xuahaid.exe
1208	xuahaid.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 1208	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	28
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 1352 wrote to memory of 660	1352	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	29
PID 660 wrote to memory of 1276	660	xxxx.exe	9
PID 660 wrote to memory of 1276	660	xxxx.exe	9
PID 660 wrote to memory of 1276	660	xxxx.exe	9
PID 660 wrote to memory of 1276	660	xxxx.exe	9

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
  "C:\Users\Admin\AppData\Local\Temp\5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe-up.txt

Filesize
7KB

MD5
81104a20c50ead8a765ce24036f22a65

SHA1
b8014e96ef345f50b9d72502b8ce5191f0e54549

SHA256
672714e0f8f9960a0b98aaaa356f91e80f07d2917ef2627d355f93de78ad4a30

SHA512
9e6e0fe5b80d57c0654043f83ce2fbc2c9dfbe7a2d1074cac53916895b08081a0109dc8f97c4b77b2dbb02bf8e47989951c5e81f7ae2aaadad8e1f8cbcf32421

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
memory/660-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-73-0x00000000003C0000-0x00000000003C4000-memory.dmp

Filesize
16KB

Download
memory/660-74-0x0000000000430000-0x0000000000469000-memory.dmp

Filesize
228KB

Download
memory/660-76-0x00000000007F1000-0x00000000007F5000-memory.dmp

Filesize
16KB

Download
memory/660-78-0x0000000000430000-0x0000000000469000-memory.dmp

Filesize
228KB

Download
memory/660-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/660-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-84-0x0000000000430000-0x0000000000469000-memory.dmp

Filesize
228KB

Download
memory/1276-79-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1352-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download