90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44

Analysis

max time kernel
40s
max time network
65s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
Size

248KB
MD5

2ca3fe40870526acad0b76aa00dcc86f
SHA1

04e58d385847287952c8a694e528c37c7687aac3
SHA256

90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44
SHA512

bf983cdda0b1fb14f8e4cb4ae6609e883b484f9c17b33713f4648d2b6924abf09b61d080f60239fbf8c15934e30775ee4d332a23d745b410568c553e4a0dbaa5
SSDEEP

6144:OjbeiWW121GvEBZuTQZ+wFE1DJN1J0rS65:Ou6NMe8Z+KKDJa2Y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1384	payload.exe
1988	SETUP.EXE

Loads dropped DLL 9 IoCs

pid	Process
1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
1384	payload.exe
1384	payload.exe
1384	payload.exe
1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
1988	SETUP.EXE
1988	SETUP.EXE
1988	SETUP.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1384	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	26
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27
PID 1248 wrote to memory of 1988	1248	90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe	27

C:\Users\Admin\AppData\Local\Temp\90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe
"C:\Users\Admin\AppData\Local\Temp\90292310f7260ce98231973202b57408afaea6393d3d88b34a7da47913774e44.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE

Filesize
407KB

MD5
d0d323b414b7748e713b51374d91b7d6

SHA1
4f53f10bce4df510d2bc6a8fd8ecb2fd224b64af

SHA256
4248dc2814960c11e26a6c5c66868941d77a1651b028311ccb536b3dfe39baa0

SHA512
ec0e73755e6a9597847fba6e3a1f91423e1e9399052512a90bfe39bc6f90e2302f89269894f05c9921b71a9846001254449197c4e14700e11a39c1a7d05cc505

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.exe

Filesize
16KB

MD5
29294e1fb7d857b1784c0afc9ad2db1a

SHA1
0acd02626c5db0cb19a015b73900175beedf2236

SHA256
892fe3c74bac04b9c8fc1b0009331a4dc2d7bad0a68558b2f5a68db26d6df9a5

SHA512
91a73c0204a97541a6dcdf9a881aae3b4e0124bd2ba9b3c98d436ee8f1ce04016b0ce9b3ca29380a757ddc76aa10f61c37be51f3c62dd1eedcd4cdc02f9b3a6a

Download Submit
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download