5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e

Analysis

max time kernel
161s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe
Size

752KB
MD5

b285a70221c729ae7cb4488b8728e197
SHA1

2d9a32b0f9c0ebb89fa38bda85b50cd67aa86f6b
SHA256

5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e
SHA512

94f0d0b5279c18b524bbf2d22dcf34e5888c84526615f072252b8c9ff9b449795e0490ed084fcc73d590149cb33ab2a51cfa4f6b9f4a1c922a74370b0a8acf69
SSDEEP

12288:YJw+Kt1LJmoWN+rfO9gOhg8WVJlV1mlx5sN17t4BapIWnYYuAncBHVB0Z5:Y9irj29gOe8mycN172BXjAmo5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4636	X7server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4636	2200	5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe	80
PID 2200 wrote to memory of 4636	2200	5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe	80
PID 2200 wrote to memory of 4636	2200	5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe	80

C:\Users\Admin\AppData\Local\Temp\5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe
"C:\Users\Admin\AppData\Local\Temp\5a5fc932fb93732eb7d3997f591c0e1a5bacf6b23ba8e9ccdce3aa54a6245c9e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7server.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7server.exe
  2⤵
  - Executes dropped EXE
  PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7server.exe

Filesize
2.2MB

MD5
975c0c6c86d1db36238b96b9725cc189

SHA1
15ae5cc19840dc99a8f2ffbab3d5b55757d94bf3

SHA256
3a87f563700d4f06cd3bffdc6d88a4fa0cab8111a522b7a1d1e5946a3a47303d

SHA512
0e91586ec74b17e0600e7607a863d72eea71dd8b988d9a91b0f1a50f1f93f5b1d0feef9be5534339b1cac5383ba7ca4e054789ef154c2c3a9fee30a89646b632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7server.exe

Filesize
2.2MB

MD5
975c0c6c86d1db36238b96b9725cc189

SHA1
15ae5cc19840dc99a8f2ffbab3d5b55757d94bf3

SHA256
3a87f563700d4f06cd3bffdc6d88a4fa0cab8111a522b7a1d1e5946a3a47303d

SHA512
0e91586ec74b17e0600e7607a863d72eea71dd8b988d9a91b0f1a50f1f93f5b1d0feef9be5534339b1cac5383ba7ca4e054789ef154c2c3a9fee30a89646b632

Download Submit