05a462927bfee9724c965bc8bba0d6491544ceb0cf64f95624874329bda0aa85

Analysis

max time kernel
90s
max time network
81s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/12/2022, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SoftwareSetup/SoftwareSetupFile.exe
Size

677.8MB
MD5

f8d27b86a561984d09b641c3d84f4109
SHA1

e4461540d8692835322e13ff641a147d21db32fe
SHA256

0c878e155adf8a8459c45eeed362abd375a6e589ee102eb65a0cbee4b29a8aab
SHA512

9d96105b26adc3baf9ba25783afb2d171214c7069a4afeb266abaa607b34b738765c3b4ec848b2542d6b73c5d5954250a8a4d0ca1052a3cad4fd0635254e5f08
SSDEEP

3072:VahKyd2n31Yc/5Dk52Vf5eNUYFy3+MGJ7ltuWM6BraN/D+F23JRAXN/fCM:VahOOcHV0Fy3jGJPugBmN6F23Jitf5

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2044	CONCER~2.EXE

Loads dropped DLL 5 IoCs

pid	Process
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	SoftwareSetupFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SoftwareSetupFile.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	2044	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	CONCER~2.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2044	1428	SoftwareSetupFile.exe	28
PID 1428 wrote to memory of 2044	1428	SoftwareSetupFile.exe	28
PID 1428 wrote to memory of 2044	1428	SoftwareSetupFile.exe	28
PID 1428 wrote to memory of 2044	1428	SoftwareSetupFile.exe	28
PID 2044 wrote to memory of 560	2044	CONCER~2.EXE	29
PID 2044 wrote to memory of 560	2044	CONCER~2.EXE	29
PID 2044 wrote to memory of 560	2044	CONCER~2.EXE	29
PID 2044 wrote to memory of 560	2044	CONCER~2.EXE	29

C:\Users\Admin\AppData\Local\Temp\SoftwareSetup\SoftwareSetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareSetup\SoftwareSetupFile.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1076
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
362.4MB

MD5
1ec54bcb0b65872bc3398d0d8a31af05

SHA1
05b6372ed5bca69fdc7d0277902ea2e63617ac01

SHA256
186d2a2f3594ec703c0d390b5c0958391418227ca081806a029f5fdce1d44d15

SHA512
e0b7ec110b60d7fb7b196da84898195da27da827b5a05b43cc3bea6272402ecfde45b5ec2770bcb0565da330f8881af834006731b855559b752e232e6dbbde9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
362.4MB

MD5
1ec54bcb0b65872bc3398d0d8a31af05

SHA1
05b6372ed5bca69fdc7d0277902ea2e63617ac01

SHA256
186d2a2f3594ec703c0d390b5c0958391418227ca081806a029f5fdce1d44d15

SHA512
e0b7ec110b60d7fb7b196da84898195da27da827b5a05b43cc3bea6272402ecfde45b5ec2770bcb0565da330f8881af834006731b855559b752e232e6dbbde9a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
203.3MB

MD5
9bbe59aa31a162c31aae01eb3e1a5932

SHA1
3dd4ba7411663590d7f70cbbe86eb65bef5b82e3

SHA256
cbd0965b57d3bc34b5996a93647d91ba2b958005e4d1776183c72fabb3966d7d

SHA512
787fb3d27688c11d90c58ba80965b33ffc9068e7e6042e0f1e7f47ad556b2fd2b1f2ad8ef39b8fdd93de6f813fcb5c672f247b97fd8ab876d4ca185ff541c1a6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
232.1MB

MD5
26d153c6515c3629150e7a14cd9bc626

SHA1
5c49e5a80a894e59bb6c884687e5888ab03f35f3

SHA256
052581ac1f7e776a2ed24f6c306cf105fcf88fc36331b752f03686cb65efcbf5

SHA512
a756aca41f44ee6b1b4f6e4cd77160926a46641e9d3eb8c3f266f28fe8dc7b7733710a57af164a7be46c544cb34dc3175882d6e85939a6b56c04022810d4ebe5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
244.2MB

MD5
b035747befa8fede337b6cee2ed96885

SHA1
199cb6ab4f475371443ffcdc34b9ef50a3344ea9

SHA256
27200cee84859e922e1006d15c86041811537080a511e64aae29846db14e243c

SHA512
b9dcb9aa24719b242f6f9785a445eb4a51d457cece5fffa0a4a4afde3e1ff5f77ad81e5a3dac03011b87ae494de635efe8bc716168b7287e405d5df7c6cf0ced

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
235.7MB

MD5
af913039657f9cb5304d9038216c2c2d

SHA1
93dc7f1b6c0b24ea6a3f72368acda72818599b04

SHA256
09a2c74a71c4c08b7df1252e66bebd56a65a93fbded0ef96cb4b4ccd6feeae01

SHA512
ca30435f0863d7a5cadefb07ad815f5bcd4220cccc241cd0fc8cf367dba1bc242f8aa7eb31fd856987970237b757003deedb27f3f6497824d3a690b0df4a21a4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CONCER~2.EXE

Filesize
206.1MB

MD5
6a97d0b392ed048b6939166ac1a1edb1

SHA1
de5af08997a07c337041a2cdfe9d854c125760e2

SHA256
7756d5ca5530226d37a01c12738dc6f299f64be005ad1976d612049f0ea5451d

SHA512
80e196b8051a37f10189de1df37addda954d11a4b8bb2827ec377b69ea15f183aafc388da6b8e9decd0102de9e49456133d209f7ec6328ee9a6149c36efe656a

Download Submit
memory/2044-57-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2044-58-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download