915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe
Size

106KB
MD5

fa959f45330ddb02cf7b6225de3ab118
SHA1

3c8367e82578c4b1df0a8e894e2f24c999aa5138
SHA256

915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282
SHA512

c5e7c60e7712875a359f277e57a23638468517feaacd0e446ca8e1af296fe540bda92f44562edf6b8bc8034d068d773e436bad515549529a1161c9da4031b3fb
SSDEEP

3072:+nj9jtfU+INndIc0J35it1iwCur5Zq4rPw0u:+jbei7XuVpM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1952	test.exe
944	test.exe
1648	Espaniol3.exe
980	Espaniol3.exe

Loads dropped DLL 5 IoCs

pid	Process
1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe
1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe
1952	test.exe
1952	test.exe
944	test.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows UDP Control Center = "Espaniol3.exe"	test.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 944	1952	test.exe	29
PID 1648 set thread context of 980	1648	Espaniol3.exe	31

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Espaniol3.exe	test.exe
File opened for modification	C:\Windows\Espaniol3.exe	test.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1952	test.exe
1648	Espaniol3.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1676 wrote to memory of 1952	1676	915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe	28
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 1952 wrote to memory of 944	1952	test.exe	29
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 944 wrote to memory of 1648	944	test.exe	30
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31
PID 1648 wrote to memory of 980	1648	Espaniol3.exe	31

C:\Users\Admin\AppData\Local\Temp\915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe
"C:\Users\Admin\AppData\Local\Temp\915e57384b8033ca5b4f9da9b65d074efc0d78ebde9c086133d252bb5435e282.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\Espaniol3.exe
      "C:\Windows\Espaniol3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\Espaniol3.exe
        
        C:\Windows\Espaniol3.exe
        5⤵
        Executes dropped EXE
        
        PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
C:\Windows\Espaniol3.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
C:\Windows\Espaniol3.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
C:\Windows\Espaniol3.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.exe

Filesize
54KB

MD5
ef780ca881499b9f9860dce928a42bea

SHA1
71e790c3e8e8c5d4e04df65fb96c0c7c00e7eac8

SHA256
28ca84da7e36b4aeaa9c27b13e4bc4420618f7f21424f38910b79bac7d726d7b

SHA512
63c85b76b2ca66287fc14e651f8b153d21f70363d47ee2a32bd1076e96c4d56ce324f8e9e66c71d2de9cfe9d5202a9e9ad9d8ae378521c4375c4841c6be3f792

Download Submit
memory/944-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/944-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/944-74-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/944-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/944-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/980-89-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/980-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1648-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1952-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download