5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97

Analysis

max time kernel
331s
max time network
406s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
Size

276KB
MD5

b2e03aa10955aa1dfa6dc55bbebd211f
SHA1

cf9baf7093587a9a6c658f737512a1d86d17d02d
SHA256

5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97
SHA512

2a9f2b4feb7475bd91345cd64bc101230aa4786a063f9ef13e422dceac4d933261e8b925d89fa074a6a4f129912eff15b4420964c39fc1812ed22510e30063e4
SSDEEP

6144:djbeih/ghyYEsQvh6ym7cicArcQeNAPrmghm2c5:du9asQvFril+ATmgK

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1760	xuahaid.exe
2900	xxxx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	xuahaid.exe
1760	xuahaid.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 1760	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	84
PID 4272 wrote to memory of 1760	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	84
PID 4272 wrote to memory of 1760	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	84
PID 4272 wrote to memory of 2900	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	86
PID 4272 wrote to memory of 2900	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	86
PID 4272 wrote to memory of 2900	4272	5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe	86

C:\Users\Admin\AppData\Local\Temp\5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe
"C:\Users\Admin\AppData\Local\Temp\5f17b202c76ab68dcc212a32fe5665f949f0261a37e7ce7264e3eba9fbf0fb97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe
  2⤵
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuahaid.exe

Filesize
108KB

MD5
64e4f8f7c352081cc379b35e7d9d10ca

SHA1
0177c3acac0c72307b0e12db50b6f7a55773932e

SHA256
90bc288407c169f307fafbddd170b817fe5584f5cbacb094947151fe453e44e5

SHA512
b091532a794c3ceac244d8f6bf2da7cacba121e442704981e22e29b7857671adaf63a8762d314e9b4edf70130fb7f315b540e9727460362a3e9b1752878b70b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xxxx.exe

Filesize
186KB

MD5
b7d78481dae0b30bd45628507e5a2251

SHA1
7a4ffa24354bcef42938ebf7c9f295cd43983df0

SHA256
f512df19a3e8ed82d035ac1ca180b10c9a9d23b05238c64d51ed0e9655b23a86

SHA512
8d466ecf754465b0935812bcf84d3b752dfa47126ac0880d36c6508abc259baacb60c54f06b5e93fe8bbc431ee7515934e39e1ae8ef6319cb18e50d4a2cc3914

Download Submit
memory/2900-141-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2900-142-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2900-143-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/2900-144-0x00000000007D0000-0x0000000000809000-memory.dmp

Filesize
228KB

Download
memory/2900-145-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download