5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
Size

1.5MB
MD5

ee19c02edc80174071bcd1306c2a8406
SHA1

f1e150c5b3a9c4b01ad633a03a57de79e0d6570f
SHA256

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75
SHA512

c3d6308ec2939b6efdef4db59fd115daf582e1a25b1ce251c9c6076c0655264483d782c1bd9bea0c57616d9039102cf4fbf660fd3700c86f8bf74055e428b0b6
SSDEEP

24576:EydBMwYRHEWGEHkdtryKmrRYXXyGWLyUWAena6Zjkoqc:TLaHWtOK2CEaacw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za265333.exeza571665.exeza966696.exe26628038.exe

pid process

1600 za265333.exe
1036 za571665.exe
1088 za966696.exe
340 26628038.exe

pid	process
1600	za265333.exe
1036	za571665.exe
1088	za966696.exe
340	26628038.exe

Loads dropped DLL 8 IoCs

Processes:

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exeza265333.exeza571665.exeza966696.exe26628038.exe

pid	process
1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
1600	za265333.exe
1600	za265333.exe
1036	za571665.exe
1036	za571665.exe
1088	za966696.exe
1088	za966696.exe
340	26628038.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exeza265333.exeza571665.exeza966696.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za265333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za265333.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za571665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za571665.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za966696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za966696.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

26628038.exe

description pid process

Token: SeDebugPrivilege 340 26628038.exe

description	pid	process
Token: SeDebugPrivilege	340	26628038.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exeza265333.exeza571665.exeza966696.exe

description	pid	process	target process
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1740 wrote to memory of 1600	1740	5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe	za265333.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1600 wrote to memory of 1036	1600	za265333.exe	za571665.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1036 wrote to memory of 1088	1036	za571665.exe	za966696.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe
PID 1088 wrote to memory of 340	1088	za966696.exe	26628038.exe

C:\Users\Admin\AppData\Local\Temp\5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe
"C:\Users\Admin\AppData\Local\Temp\5646a554a65769048705e3ae7a9118acbc53643d8115529b75d03dbf7e654a75.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za265333.exe
Filesize
1.3MB

MD5
a8a6ef2febad43893677a572fa95be38

SHA1
69e8b6d96cd4a696b05e0134613f142a7e69bff6

SHA256
e530058dc47a1440e15d65bc073de8077b191c42fc43875fcf3010d883cb2adc

SHA512
ffbde4fcd9ff5fe40782be3770a3f43396ccf2b5b4ec21d17ba2768bff0bcd001f71194c32e924e4b785bad277123ade5d7b4acd1d3af1657d500285cdeb66dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za571665.exe
Filesize
862KB

MD5
66395e26e84dc21c79985fd3a139b5e3

SHA1
1b1307f6ce9ae56ee22c90cc5e8289be72d8fbc3

SHA256
7e7cfe0ed4d33db41b4fd83d2d26c2338c62ec4583f5c7bc5aef1fb8bd181030

SHA512
cb0dbf34779e21c1750f2288a8d7daee18382616848ca30271492b92730c9d7ca222ed185e9c4f921bf1d0b475d6077f9eb9f437dbf1a3f996763d5804d982c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za966696.exe
Filesize
679KB

MD5
937f6dedf6857f63d25fcba51be5814c

SHA1
38491ffc15c92cca4980309276a18801d631db89

SHA256
0543b203b2304754d6ee2ac1786f79891949767ff1682ea0a0b30e1ec6528e28

SHA512
8870fa67cf45b8ff3390d09f9751096ba5d18a9855db87baef84e2ebe636be1155fdcecdfde27091a2a75d0c12926544d8edbf5f67e3bbf8d92431b83fdbc6c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\26628038.exe
Filesize
301KB

MD5
e7b0bcef13515391e5b51b1b2844714b

SHA1
bca78d7c9224224dbe5912f7f1a57d33f9c46b99

SHA256
abd9b763cd3ae279fff255957be9f44831f1a8cf26eda089de5e9e1684d22783

SHA512
3c4af3b85745d9360889aa5417cf35b0b4a56ae5bbec512d6700acd88dca273238a78db31bd772907c3ebaf51d7f264078d884ddcb440f0a0b3598d68cfe2a22

Download Submit
memory/340-107-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-127-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-96-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-97-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-99-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-101-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-103-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-105-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-94-0x0000000000A20000-0x0000000000A78000-memory.dmp

Filesize
352KB

Download
memory/340-109-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-111-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-113-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-115-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-117-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-123-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-121-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-119-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-95-0x0000000002450000-0x00000000024A6000-memory.dmp

Filesize
344KB

Download
memory/340-129-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-125-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-131-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-135-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-133-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-139-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-137-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-141-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-145-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-143-0x0000000002450000-0x00000000024A1000-memory.dmp

Filesize
324KB

Download
memory/340-147-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/340-148-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/340-149-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/340-151-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/340-150-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads