7a8c3e1d2a18f7bead6b84f835f53fb022e2b3b6c3b4eacc80235a9abeffcf3c

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

806c51a90c4852e7cfecf7cb09d21822.exe
Size

166KB
MD5

806c51a90c4852e7cfecf7cb09d21822
SHA1

c1021dd3fdab477bcb6ff5b5f8a329db08dbb6e5
SHA256

7a8c3e1d2a18f7bead6b84f835f53fb022e2b3b6c3b4eacc80235a9abeffcf3c
SHA512

52269fab14714f0be7ecc3bde14f87cf3d5fe628235da5b0c2b88988f08c871aaa035ffefd85fcc921f3255ca1f8c0a1327977576da84402b2a9d5d800dd12c1
SSDEEP

3072:cahKyd2n31b5GWp1icKAArDZz4N9GhbkrNEkBNJAQ8lwzhABLT:cahOrp0yN90QEj

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	806c51a90c4852e7cfecf7cb09d21822.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	806c51a90c4852e7cfecf7cb09d21822.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	net.exe
File opened (read-only)	\??\Y:	net.exe

Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 1244	5000	806c51a90c4852e7cfecf7cb09d21822.exe	83
PID 5000 wrote to memory of 1244	5000	806c51a90c4852e7cfecf7cb09d21822.exe	83
PID 1244 wrote to memory of 1868	1244	cmd.exe	85
PID 1244 wrote to memory of 1868	1244	cmd.exe	85
PID 1244 wrote to memory of 3148	1244	cmd.exe	86
PID 1244 wrote to memory of 3148	1244	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\806c51a90c4852e7cfecf7cb09d21822.exe
"C:\Users\Admin\AppData\Local\Temp\806c51a90c4852e7cfecf7cb09d21822.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Aus-HQ_Ins-WOFNet__LWM-BHB-Admin - Kopie.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\net.exe
    net use Y: /delete
    3⤵
    - Enumerates connected drives
    PID:1868
- - C:\Windows\system32\net.exe
    net use Y: \\10.241.1.1\File-Share\BHB Wokopaf0 /USER:WOF\BHB-Admin /PERSISTENT:NO
    3⤵
    - Enumerates connected drives
    PID:3148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aus-HQ_Ins-WOFNet__LWM-BHB-Admin - Kopie.bat

Filesize
377B

MD5
fae41d34dfdf2990e38c1595658cc5b3

SHA1
5ebcdf04aa57ff43c1a37d4ec46b00662733a691

SHA256
b7f64215d4b1ba491a2fa4fbe9cfb5eba88287bbcfcab56b08250d084047ce08

SHA512
a64f0c5a8bafd566cc6fc789aa567bd1ead1383745cc69db1ac6b3256cee57ba877d8cbbee05523ab21281115a55d42a1ac4a3de50f8a23f6e057f96967dfb3d

Download Submit