ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390

Analysis

max time kernel
252s
max time network
331s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
Size

1.0MB
MD5

68f6ccfc7adc1f07a3b2976a55bfe935
SHA1

d621d37d26429f90be4ddbc632da795951d1ccdd
SHA256

ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390
SHA512

1bea3e9ab40ac3aa5c36a3ebf377c8a7e08e710c84e50ebe17116bfe6b3892444f7181d7dfb6067ecafe62a22b4cae6b9682910f0412e3d12185541d986b02f0
SSDEEP

24576:THm+yp+C2zCO5/9j/De22taI1yh+uPmcoMiSGgTuMLGCTT9:jrPC6CO5x/De22td1ShoPRwjf9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
752	ctrl12.exe
1644	ctrl12.exe

Loads dropped DLL 4 IoCs

pid	Process
368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
1000	cmd.exe
1000	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 752	368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	28
PID 368 wrote to memory of 752	368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	28
PID 368 wrote to memory of 752	368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	28
PID 368 wrote to memory of 752	368	ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe	28
PID 752 wrote to memory of 1000	752	ctrl12.exe	30
PID 752 wrote to memory of 1000	752	ctrl12.exe	30
PID 752 wrote to memory of 1000	752	ctrl12.exe	30
PID 752 wrote to memory of 1000	752	ctrl12.exe	30
PID 1000 wrote to memory of 1608	1000	cmd.exe	31
PID 1000 wrote to memory of 1608	1000	cmd.exe	31
PID 1000 wrote to memory of 1608	1000	cmd.exe	31
PID 1000 wrote to memory of 1608	1000	cmd.exe	31
PID 1608 wrote to memory of 1760	1608	cmd.exe	32
PID 1608 wrote to memory of 1760	1608	cmd.exe	32
PID 1608 wrote to memory of 1760	1608	cmd.exe	32
PID 1608 wrote to memory of 1760	1608	cmd.exe	32
PID 1000 wrote to memory of 1840	1000	cmd.exe	33
PID 1000 wrote to memory of 1840	1000	cmd.exe	33
PID 1000 wrote to memory of 1840	1000	cmd.exe	33
PID 1000 wrote to memory of 1840	1000	cmd.exe	33
PID 1000 wrote to memory of 1864	1000	cmd.exe	34
PID 1000 wrote to memory of 1864	1000	cmd.exe	34
PID 1000 wrote to memory of 1864	1000	cmd.exe	34
PID 1000 wrote to memory of 1864	1000	cmd.exe	34
PID 1000 wrote to memory of 1644	1000	cmd.exe	35
PID 1000 wrote to memory of 1644	1000	cmd.exe	35
PID 1000 wrote to memory of 1644	1000	cmd.exe	35
PID 1000 wrote to memory of 1644	1000	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe
"C:\Users\Admin\AppData\Local\Temp\ad405548e707fce47e3f5a7e2b8915ea01882bc559df8d6fc9fd5653822e0390.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c MSCOMCF02D_.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY "HKCU\Software\Valve\Steam" /v SteamPath
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKCU\Software\Valve\Steam" /v SteamPath
        5⤵
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c TIME /T
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c date/T
      4⤵
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe
      ctrl12.exe "msftqws.pzw_/d03458a5d0n3f7d8ec54c/10-12-Sat_0103_Admin.hdr" //Clientregistry.blob
      4⤵
      Executes dropped EXE
      PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSCOMCF02D_.bat

Filesize
754B

MD5
dabf7644854b35bfeb8c426ec3ca88f3

SHA1
4c8e0c9e3c2af131526380199e9c2ff616dc143c

SHA256
00dca29611b629e056e62383a86686d3c9c1f9e02110dd2f168b1c15c70639e2

SHA512
ec2939dce7e407583181a0e1d1f0b1c13c6d2b2814bf355d28e2c166588c23146a401ee4db763dfabe71defcadb4ebcbe258d656475ecf70a0c01b10b6bc3320

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ctrl12.exe

Filesize
55KB

MD5
f34b83f1cee18f80120e334da4e9c4a5

SHA1
1c0910760a2a56aedc5dd351ad4f64ad4736c281

SHA256
dab6bc838b06910f87f3803b36fe29379806b4942708fcd9f460eee20f5d9933

SHA512
56aeb61b2da3db837f5f91158d8d4e253979dd23cf798b4f38354317c10a944944d708f95f114ff1529873cafd2ab6b6455aa9853eb6c0b44340ba4d1d7c2bf2

Download Submit