926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2023, 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe
Size

1.0MB
MD5

16439194756b561bb344a6d5cb08a2c9
SHA1

35a78f621eb591e9b564184dff2516467a6cdb97
SHA256

926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d
SHA512

3bd90241e6d9277317d9198209fccc8f35305b11d451ba40cb139cc628cd0bae392e48b0f1f275ca087fa3e4150b4288b3809150aa85395959438e440e31c714
SSDEEP

6144:IahODlE7xQJ86nqP/s+de9pnVuHhZRb4tkC1VFO/DWLC352DFDJXTvkcLIh:Iiew+lLYePVqR0sqLC35gDQh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	wiferedov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4228	1696	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1696	wiferedov.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	wiferedov.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1696	2780	926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe	85
PID 2780 wrote to memory of 1696	2780	926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe	85
PID 2780 wrote to memory of 1696	2780	926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe	85

C:\Users\Admin\AppData\Local\Temp\926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe
"C:\Users\Admin\AppData\Local\Temp\926121412aa339bd62986e3fcb42ba64714ac2889f3e476f6c2b5d3b672c418d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wiferedov.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wiferedov.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1920
    3⤵
    - Program crash
    PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 1696
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wiferedov.exe

Filesize
430.2MB

MD5
f9cd4b8b60407dd42daa35ac1e79ff90

SHA1
6eeb267cb651e9a1ec4901de887219d48e0a15c4

SHA256
1439e4b4b3e1bdfd18c8feff3cf4b396eb343ae6847f2f118de178c0fcd1b3e6

SHA512
9048a05a0aa877a913f0e7f86fcb2568089286f8aca51ec888f3fbfdc31eddbf7fe0723ccc0645e3613a4d92ffa494d2c018e964da343082d729c68d39f064c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wiferedov.exe

Filesize
430.2MB

MD5
f9cd4b8b60407dd42daa35ac1e79ff90

SHA1
6eeb267cb651e9a1ec4901de887219d48e0a15c4

SHA256
1439e4b4b3e1bdfd18c8feff3cf4b396eb343ae6847f2f118de178c0fcd1b3e6

SHA512
9048a05a0aa877a913f0e7f86fcb2568089286f8aca51ec888f3fbfdc31eddbf7fe0723ccc0645e3613a4d92ffa494d2c018e964da343082d729c68d39f064c4

Download Submit
memory/1696-138-0x00000000009D0000-0x0000000000ADE000-memory.dmp

Filesize
1.1MB

Download
memory/1696-139-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

Filesize
624KB

Download
memory/1696-140-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/1696-141-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/1696-142-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1696-143-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/1696-144-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download