ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544

Analysis

max time kernel
237s
max time network
333s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
Size

968KB
MD5

e914a42b1b90cbaaaad423982da21952
SHA1

3970f102609d2de476ec3a9196099db9d213180d
SHA256

ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544
SHA512

793405bdf8de894cb2520f743275e4eb893e99c149171af86035ccb8795604873c57470ef3ff61e5b42a9b2addae1bb688cbb003b82edd7d4e2531c652fd6574
SSDEEP

12288:EMP+aXfwK5KVCfj8HUD3xwheh9K6EFOMmimslOvTwnJlu3bohu8bxw0YZ:z+I5uCb80bxwshD6Y9Inrurok8FW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1120	server2.exe
1908	Server.exe
1580	server2.exe

Loads dropped DLL 4 IoCs

pid	Process
472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
1120	server2.exe
1120	server2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server2.exe	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 1676	1580	server2.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\server2.exe	Server.exe
File created	C:\Windows\server2.exe	Server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	Server.exe
Token: SeDebugPrivilege	1580	server2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 1120	472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	28
PID 472 wrote to memory of 1120	472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	28
PID 472 wrote to memory of 1120	472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	28
PID 472 wrote to memory of 1120	472	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	28
PID 1120 wrote to memory of 1908	1120	server2.exe	29
PID 1120 wrote to memory of 1908	1120	server2.exe	29
PID 1120 wrote to memory of 1908	1120	server2.exe	29
PID 1120 wrote to memory of 1908	1120	server2.exe	29
PID 1580 wrote to memory of 1676	1580	server2.exe	31
PID 1580 wrote to memory of 1676	1580	server2.exe	31
PID 1580 wrote to memory of 1676	1580	server2.exe	31
PID 1580 wrote to memory of 1676	1580	server2.exe	31
PID 1580 wrote to memory of 1676	1580	server2.exe	31
PID 1580 wrote to memory of 1676	1580	server2.exe	31

C:\Users\Admin\AppData\Local\Temp\ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
"C:\Users\Admin\AppData\Local\Temp\ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\SysWOW64\server2.exe
  C:\Windows\system32\/server2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1908

C:\Windows\server2.exe
C:\Windows\server2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\WINDOWS\SysWOW64\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  2⤵
  PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
C:\Windows\SysWOW64\server2.exe

Filesize
392KB

MD5
f9a7a5421b233c25905c2ad97e9a1fac

SHA1
2acecb13387e7b0bfd489c1738c3d903cfc0ac39

SHA256
91e11135315c6107c57849be19f4566b002628d70b29696c948c87d7500acf19

SHA512
3995a67c7411d97da8d72018de9e5e8af1e02c6401ee5c82b7886726c0485c611398b1edd6fcffb743a67981a3d4540b7432929464bea336f005db5638dc5f66

Download Submit
C:\Windows\server2.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
C:\Windows\server2.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
\Windows\SysWOW64\server2.exe

Filesize
392KB

MD5
f9a7a5421b233c25905c2ad97e9a1fac

SHA1
2acecb13387e7b0bfd489c1738c3d903cfc0ac39

SHA256
91e11135315c6107c57849be19f4566b002628d70b29696c948c87d7500acf19

SHA512
3995a67c7411d97da8d72018de9e5e8af1e02c6401ee5c82b7886726c0485c611398b1edd6fcffb743a67981a3d4540b7432929464bea336f005db5638dc5f66

Download Submit
\Windows\SysWOW64\server2.exe

Filesize
392KB

MD5
f9a7a5421b233c25905c2ad97e9a1fac

SHA1
2acecb13387e7b0bfd489c1738c3d903cfc0ac39

SHA256
91e11135315c6107c57849be19f4566b002628d70b29696c948c87d7500acf19

SHA512
3995a67c7411d97da8d72018de9e5e8af1e02c6401ee5c82b7886726c0485c611398b1edd6fcffb743a67981a3d4540b7432929464bea336f005db5638dc5f66

Download Submit
memory/472-69-0x0000000002A40000-0x0000000002B05000-memory.dmp

Filesize
788KB

Download
memory/472-56-0x0000000002A40000-0x0000000002B05000-memory.dmp

Filesize
788KB

Download
memory/472-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1120-60-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/1120-67-0x0000000000280000-0x000000000034F000-memory.dmp

Filesize
828KB

Download
memory/1120-66-0x0000000000280000-0x000000000034F000-memory.dmp

Filesize
828KB

Download
memory/1120-71-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/1120-81-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/1580-75-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/1580-82-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/1676-79-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1908-68-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/1908-72-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download