677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7

Analysis

max time kernel
25s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe
Size

1.3MB
MD5

d41b88de50bd4f50b665906946f72c64
SHA1

4dfd7bf8b4da376b0b212ff902ec18287300a5d7
SHA256

677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7
SHA512

39869a9b54362c325ec9af378f13f55489f7b3d894429321905a961286fcce5368cd1dd71e7104c39f5f7f37d41a51335796185c74a1de9d1e3753656b2cefd4
SSDEEP

24576:nyknMrqbdKc3YDVK1jazj0Ft/1OWcyqh7NHxtsYtuEf1EwijI/FXIRV5B:ymYZSja3ytdOBn5NXTN+RV5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za114155.exeza812108.exeza685591.exe15170412.exe

pid process

1144 za114155.exe
576 za812108.exe
752 za685591.exe
1768 15170412.exe

pid	process
1144	za114155.exe
576	za812108.exe
752	za685591.exe
1768	15170412.exe

Loads dropped DLL 8 IoCs

Processes:

677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exeza114155.exeza812108.exeza685591.exe15170412.exe

pid	process
1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe
1144	za114155.exe
1144	za114155.exe
576	za812108.exe
576	za812108.exe
752	za685591.exe
752	za685591.exe
1768	15170412.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za812108.exeza685591.exe677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exeza114155.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za812108.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za685591.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za685591.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za114155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za114155.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za812108.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15170412.exe

description pid process

Token: SeDebugPrivilege 1768 15170412.exe

description	pid	process
Token: SeDebugPrivilege	1768	15170412.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exeza114155.exeza812108.exeza685591.exe

description	pid	process	target process
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1704 wrote to memory of 1144	1704	677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe	za114155.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 1144 wrote to memory of 576	1144	za114155.exe	za812108.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 576 wrote to memory of 752	576	za812108.exe	za685591.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe
PID 752 wrote to memory of 1768	752	za685591.exe	15170412.exe

C:\Users\Admin\AppData\Local\Temp\677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe
"C:\Users\Admin\AppData\Local\Temp\677904355fc406cd7d2fead8d5389574a5de4fe36b11cd0ffa87d7f9c9826de7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe

Filesize
1.2MB

MD5
b81b4772146279ba53451b3ca7ec719b

SHA1
d0e4b37f359ed9924ffa26f0824009f2c2b808df

SHA256
e7d5ceabf8e7dc2dda2c8d900a32bb6781b8cb96f7e28afd10ce376a00f96b93

SHA512
1e0863abd03e924f7edd3fb80254ca6e2b3996bfa11def780e7bf333608d23196cbd033991a4d991297109b992a73aabccf8718cd8bd9076736dccfff88ae6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe

Filesize
1.2MB

MD5
b81b4772146279ba53451b3ca7ec719b

SHA1
d0e4b37f359ed9924ffa26f0824009f2c2b808df

SHA256
e7d5ceabf8e7dc2dda2c8d900a32bb6781b8cb96f7e28afd10ce376a00f96b93

SHA512
1e0863abd03e924f7edd3fb80254ca6e2b3996bfa11def780e7bf333608d23196cbd033991a4d991297109b992a73aabccf8718cd8bd9076736dccfff88ae6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe

Filesize
738KB

MD5
92c752bfff717690379b17e0241dba5b

SHA1
605a22c59a10c3bbc243cee777f14069ae1ee690

SHA256
b713198cdf2f6ee241a65b9fdf9a82b398b70ae71416aa3f81c14ecacf0479f4

SHA512
0e5286c0efcb00dc08f22875a10a00169042e03921ebcef40ad4d0536a4cf462908136599642c40245be892e6056b2836acd7b42c4917cf1fb9b8974b5a47411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe

Filesize
738KB

MD5
92c752bfff717690379b17e0241dba5b

SHA1
605a22c59a10c3bbc243cee777f14069ae1ee690

SHA256
b713198cdf2f6ee241a65b9fdf9a82b398b70ae71416aa3f81c14ecacf0479f4

SHA512
0e5286c0efcb00dc08f22875a10a00169042e03921ebcef40ad4d0536a4cf462908136599642c40245be892e6056b2836acd7b42c4917cf1fb9b8974b5a47411

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe

Filesize
555KB

MD5
ecc185a79d2d182fcf1cafa01f6425ed

SHA1
d635159d46f83e5bcd53644780d56ebd2e0b28f5

SHA256
67666fcc048488c29637fa7bab4da10c8c4efb1f88325debe90f32b7a5bd44ed

SHA512
508661a6aa856c7ac62e7f80f20f7b433d7b23650bc110763ac83bb3bb1d61e766761bfcee1b852601204eb469aeb28a3caf875ba819008e345a9b6ae45925c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe

Filesize
555KB

MD5
ecc185a79d2d182fcf1cafa01f6425ed

SHA1
d635159d46f83e5bcd53644780d56ebd2e0b28f5

SHA256
67666fcc048488c29637fa7bab4da10c8c4efb1f88325debe90f32b7a5bd44ed

SHA512
508661a6aa856c7ac62e7f80f20f7b433d7b23650bc110763ac83bb3bb1d61e766761bfcee1b852601204eb469aeb28a3caf875ba819008e345a9b6ae45925c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe

Filesize
303KB

MD5
bf77596e47ab049b90f2b75c7a95fdc3

SHA1
7bccb2e0bdce45bc6d083a14ef0c66ccf2496a48

SHA256
6491d204e1298226e647ce67697942ef6c600523967f9a82eb51f93925561a94

SHA512
c8fdb68341481321f2e1415eaac47fadaeec51cf6f9f9df1ef8496cf06bc5376b37d9c53de2275b8a05d142dfa5e58b543cfb488ad8a5953f8d45e705d342132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe

Filesize
303KB

MD5
bf77596e47ab049b90f2b75c7a95fdc3

SHA1
7bccb2e0bdce45bc6d083a14ef0c66ccf2496a48

SHA256
6491d204e1298226e647ce67697942ef6c600523967f9a82eb51f93925561a94

SHA512
c8fdb68341481321f2e1415eaac47fadaeec51cf6f9f9df1ef8496cf06bc5376b37d9c53de2275b8a05d142dfa5e58b543cfb488ad8a5953f8d45e705d342132

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe

Filesize
1.2MB

MD5
b81b4772146279ba53451b3ca7ec719b

SHA1
d0e4b37f359ed9924ffa26f0824009f2c2b808df

SHA256
e7d5ceabf8e7dc2dda2c8d900a32bb6781b8cb96f7e28afd10ce376a00f96b93

SHA512
1e0863abd03e924f7edd3fb80254ca6e2b3996bfa11def780e7bf333608d23196cbd033991a4d991297109b992a73aabccf8718cd8bd9076736dccfff88ae6f6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za114155.exe

Filesize
1.2MB

MD5
b81b4772146279ba53451b3ca7ec719b

SHA1
d0e4b37f359ed9924ffa26f0824009f2c2b808df

SHA256
e7d5ceabf8e7dc2dda2c8d900a32bb6781b8cb96f7e28afd10ce376a00f96b93

SHA512
1e0863abd03e924f7edd3fb80254ca6e2b3996bfa11def780e7bf333608d23196cbd033991a4d991297109b992a73aabccf8718cd8bd9076736dccfff88ae6f6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe

Filesize
738KB

MD5
92c752bfff717690379b17e0241dba5b

SHA1
605a22c59a10c3bbc243cee777f14069ae1ee690

SHA256
b713198cdf2f6ee241a65b9fdf9a82b398b70ae71416aa3f81c14ecacf0479f4

SHA512
0e5286c0efcb00dc08f22875a10a00169042e03921ebcef40ad4d0536a4cf462908136599642c40245be892e6056b2836acd7b42c4917cf1fb9b8974b5a47411

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za812108.exe

Filesize
738KB

MD5
92c752bfff717690379b17e0241dba5b

SHA1
605a22c59a10c3bbc243cee777f14069ae1ee690

SHA256
b713198cdf2f6ee241a65b9fdf9a82b398b70ae71416aa3f81c14ecacf0479f4

SHA512
0e5286c0efcb00dc08f22875a10a00169042e03921ebcef40ad4d0536a4cf462908136599642c40245be892e6056b2836acd7b42c4917cf1fb9b8974b5a47411

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe

Filesize
555KB

MD5
ecc185a79d2d182fcf1cafa01f6425ed

SHA1
d635159d46f83e5bcd53644780d56ebd2e0b28f5

SHA256
67666fcc048488c29637fa7bab4da10c8c4efb1f88325debe90f32b7a5bd44ed

SHA512
508661a6aa856c7ac62e7f80f20f7b433d7b23650bc110763ac83bb3bb1d61e766761bfcee1b852601204eb469aeb28a3caf875ba819008e345a9b6ae45925c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za685591.exe

Filesize
555KB

MD5
ecc185a79d2d182fcf1cafa01f6425ed

SHA1
d635159d46f83e5bcd53644780d56ebd2e0b28f5

SHA256
67666fcc048488c29637fa7bab4da10c8c4efb1f88325debe90f32b7a5bd44ed

SHA512
508661a6aa856c7ac62e7f80f20f7b433d7b23650bc110763ac83bb3bb1d61e766761bfcee1b852601204eb469aeb28a3caf875ba819008e345a9b6ae45925c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe

Filesize
303KB

MD5
bf77596e47ab049b90f2b75c7a95fdc3

SHA1
7bccb2e0bdce45bc6d083a14ef0c66ccf2496a48

SHA256
6491d204e1298226e647ce67697942ef6c600523967f9a82eb51f93925561a94

SHA512
c8fdb68341481321f2e1415eaac47fadaeec51cf6f9f9df1ef8496cf06bc5376b37d9c53de2275b8a05d142dfa5e58b543cfb488ad8a5953f8d45e705d342132

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\15170412.exe

Filesize
303KB

MD5
bf77596e47ab049b90f2b75c7a95fdc3

SHA1
7bccb2e0bdce45bc6d083a14ef0c66ccf2496a48

SHA256
6491d204e1298226e647ce67697942ef6c600523967f9a82eb51f93925561a94

SHA512
c8fdb68341481321f2e1415eaac47fadaeec51cf6f9f9df1ef8496cf06bc5376b37d9c53de2275b8a05d142dfa5e58b543cfb488ad8a5953f8d45e705d342132

Download Submit
memory/1768-110-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-134-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-97-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-96-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-98-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-99-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-100-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-102-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-104-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-106-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-108-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-112-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-94-0x0000000002340000-0x0000000002398000-memory.dmp

Filesize
352KB

Download
memory/1768-116-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-120-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-122-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-118-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-114-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-124-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-126-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-132-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-95-0x00000000023A0000-0x00000000023F6000-memory.dmp

Filesize
344KB

Download
memory/1768-130-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-136-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-128-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-140-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-138-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-144-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-142-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-146-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-148-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-150-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-154-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-152-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-158-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-160-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-156-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-162-0x00000000023A0000-0x00000000023F1000-memory.dmp

Filesize
324KB

Download
memory/1768-179-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-180-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-181-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download