99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832

Analysis

max time kernel
248s
max time network
327s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe
Size

858KB
MD5

fdfa861c2db8b025aceb4cd8237b027f
SHA1

59f30a56616eba7c1f2e1a2605ece423ece42551
SHA256

99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832
SHA512

61b9bef0ae0ceddb692790b8cb18556c368345b69dd438787f80d78b716c1dbdde2d96241589016dacffe082dd7d34edf180be00644267f3db3b594ffe7a7266
SSDEEP

24576:KyRR5UbHN5kxZe/N9DiD1Oi/BZ+eJVSw:RRfw5kQ/N9lQZr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3200	ppi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3200	ppi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	ppi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3200	4904	99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe	81
PID 4904 wrote to memory of 3200	4904	99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe	81
PID 4904 wrote to memory of 3200	4904	99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe	81

C:\Users\Admin\AppData\Local\Temp\99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe
"C:\Users\Admin\AppData\Local\Temp\99d615b1cfa434bd01c33326ee104cb953a3a20a67b0a0d717e98cd0d0d5c832.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
256KB

MD5
89529996093c633a39fb4fc11b65cf10

SHA1
0c01b87eb04d80db6fee5927ebd2dc0548d0262f

SHA256
81a69181f13b3dc3de1b9c56f40b10077403127f722d5f025e12b9bac4b9519b

SHA512
1b356c0f43fb5272ff95c43710c32c015febea6417c8ac912a19717ff6fbb092edfe9d07f11783747e95ddeb2da4c9ced439b3ec71b2d0d034f76621f556089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
256KB

MD5
89529996093c633a39fb4fc11b65cf10

SHA1
0c01b87eb04d80db6fee5927ebd2dc0548d0262f

SHA256
81a69181f13b3dc3de1b9c56f40b10077403127f722d5f025e12b9bac4b9519b

SHA512
1b356c0f43fb5272ff95c43710c32c015febea6417c8ac912a19717ff6fbb092edfe9d07f11783747e95ddeb2da4c9ced439b3ec71b2d0d034f76621f556089f

Download Submit
memory/3200-135-0x0000000074520000-0x0000000074AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3200-136-0x0000000074520000-0x0000000074AD1000-memory.dmp

Filesize
5.7MB

Download