5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db

Analysis

max time kernel
27s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe
Size

1.5MB
MD5

b8f344c196d9ae34b5d82a8d78024acc
SHA1

ae43dbce2e2861b048ec24b05b7dda44b391c27b
SHA256

5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db
SHA512

9a282b8a1a2b78beb72cc60dd1a26eaff7e1a012240d94ee68340ecbd2a4fd8ea80b27cc20d1b9756bf8dc1271bd11160e4e9b1ed1694f58317c8bbd2a4b3af8
SSDEEP

24576:kyIPIqfyeZW8Y/10VtHUuOvqq9/j0ARdlcACNdvUPAUvouAEo9A6:zhq6SqNQt0Bvdlqkzod

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za131911.exeza382021.exeza473721.exe10074093.exe

pid process

1732 za131911.exe
688 za382021.exe
1400 za473721.exe
1196 10074093.exe

pid	process
1732	za131911.exe
688	za382021.exe
1400	za473721.exe
1196	10074093.exe

Loads dropped DLL 8 IoCs

Processes:

5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exeza131911.exeza382021.exeza473721.exe10074093.exe

pid	process
1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe
1732	za131911.exe
1732	za131911.exe
688	za382021.exe
688	za382021.exe
1400	za473721.exe
1400	za473721.exe
1196	10074093.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za382021.exeza473721.exe5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exeza131911.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za382021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za382021.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za473721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za473721.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za131911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za131911.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

10074093.exe

description pid process

Token: SeDebugPrivilege 1196 10074093.exe

description	pid	process
Token: SeDebugPrivilege	1196	10074093.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exeza131911.exeza382021.exeza473721.exe

description	pid	process	target process
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1716 wrote to memory of 1732	1716	5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe	za131911.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 1732 wrote to memory of 688	1732	za131911.exe	za382021.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 688 wrote to memory of 1400	688	za382021.exe	za473721.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe
PID 1400 wrote to memory of 1196	1400	za473721.exe	10074093.exe

C:\Users\Admin\AppData\Local\Temp\5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe
"C:\Users\Admin\AppData\Local\Temp\5ae8f8b30279e392020ec776bbd27c6b97aad9d4f7ba5647916c44663e9548db.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe

Filesize
1.3MB

MD5
0243064f4639dbc5df1ed5650c5626dd

SHA1
2c661cfa8843ef4d916ff4a0eabee77ce034e524

SHA256
14112e889a3ad966a0cec6519ee7e021d17b63c6285c357d424ebd65be6bb309

SHA512
539b0d031992066edbaaeaf1db81c2e45ce6ac1ff8dc345d5e6301fe3297de94f4cd66927a063288fbf2ccb944f68baa4b64206f89b99bffe53090c675af69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe

Filesize
1.3MB

MD5
0243064f4639dbc5df1ed5650c5626dd

SHA1
2c661cfa8843ef4d916ff4a0eabee77ce034e524

SHA256
14112e889a3ad966a0cec6519ee7e021d17b63c6285c357d424ebd65be6bb309

SHA512
539b0d031992066edbaaeaf1db81c2e45ce6ac1ff8dc345d5e6301fe3297de94f4cd66927a063288fbf2ccb944f68baa4b64206f89b99bffe53090c675af69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe

Filesize
862KB

MD5
4b530b1887d24f87a29a0d6bc93db3a5

SHA1
48bb1862dae02ad8acf6feedbcf9effccc899c21

SHA256
bcab749322a2e3762f87076087457feba1099f659ea5642c3d6ec0ecca70e6a6

SHA512
cd5e3ee749e519ced1f3ef12ecbf85b206e3e9488d71bc86ddf623b76a8b8c53152ad3527e8a6cce07c3372841756fe897ccc06643d48ce6f3f29feeb88a3bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe

Filesize
862KB

MD5
4b530b1887d24f87a29a0d6bc93db3a5

SHA1
48bb1862dae02ad8acf6feedbcf9effccc899c21

SHA256
bcab749322a2e3762f87076087457feba1099f659ea5642c3d6ec0ecca70e6a6

SHA512
cd5e3ee749e519ced1f3ef12ecbf85b206e3e9488d71bc86ddf623b76a8b8c53152ad3527e8a6cce07c3372841756fe897ccc06643d48ce6f3f29feeb88a3bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe

Filesize
679KB

MD5
341c42f795b17c4d402d521a5dc9db5f

SHA1
8ae81e85694a5d30315f1093616ff85f0b019ac7

SHA256
d2bfe2705bff1caa0ee6caae2b99e65fa710ead9b8641e7eefc93a8713e37766

SHA512
ee88570194e50502c2a2334bfab074ed5e15b8abd0fcf326e135e90f6d396fe516f06a843ec02588b7b393b29e8ede952c0a9aea31479827d67d80629bcff97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe

Filesize
679KB

MD5
341c42f795b17c4d402d521a5dc9db5f

SHA1
8ae81e85694a5d30315f1093616ff85f0b019ac7

SHA256
d2bfe2705bff1caa0ee6caae2b99e65fa710ead9b8641e7eefc93a8713e37766

SHA512
ee88570194e50502c2a2334bfab074ed5e15b8abd0fcf326e135e90f6d396fe516f06a843ec02588b7b393b29e8ede952c0a9aea31479827d67d80629bcff97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe

Filesize
301KB

MD5
8f8302378182d86899cca86d3e72c5a3

SHA1
47fa91b8683bfc015b7b8553b809e8ed5e314876

SHA256
2570b2f81ec2c7bf1e7fec6b2db0049ac8514b25054815c8f8af739928dd1d91

SHA512
4c2c626973a6ceba0ca6fe9349c088f832a37e631c1b9334e7b453b0a84036fec06b2893cfe67fc2868836063c59390cf33543cacc0ef34ad20dec20c4a2b090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe

Filesize
301KB

MD5
8f8302378182d86899cca86d3e72c5a3

SHA1
47fa91b8683bfc015b7b8553b809e8ed5e314876

SHA256
2570b2f81ec2c7bf1e7fec6b2db0049ac8514b25054815c8f8af739928dd1d91

SHA512
4c2c626973a6ceba0ca6fe9349c088f832a37e631c1b9334e7b453b0a84036fec06b2893cfe67fc2868836063c59390cf33543cacc0ef34ad20dec20c4a2b090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe

Filesize
1.3MB

MD5
0243064f4639dbc5df1ed5650c5626dd

SHA1
2c661cfa8843ef4d916ff4a0eabee77ce034e524

SHA256
14112e889a3ad966a0cec6519ee7e021d17b63c6285c357d424ebd65be6bb309

SHA512
539b0d031992066edbaaeaf1db81c2e45ce6ac1ff8dc345d5e6301fe3297de94f4cd66927a063288fbf2ccb944f68baa4b64206f89b99bffe53090c675af69f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za131911.exe

Filesize
1.3MB

MD5
0243064f4639dbc5df1ed5650c5626dd

SHA1
2c661cfa8843ef4d916ff4a0eabee77ce034e524

SHA256
14112e889a3ad966a0cec6519ee7e021d17b63c6285c357d424ebd65be6bb309

SHA512
539b0d031992066edbaaeaf1db81c2e45ce6ac1ff8dc345d5e6301fe3297de94f4cd66927a063288fbf2ccb944f68baa4b64206f89b99bffe53090c675af69f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe

Filesize
862KB

MD5
4b530b1887d24f87a29a0d6bc93db3a5

SHA1
48bb1862dae02ad8acf6feedbcf9effccc899c21

SHA256
bcab749322a2e3762f87076087457feba1099f659ea5642c3d6ec0ecca70e6a6

SHA512
cd5e3ee749e519ced1f3ef12ecbf85b206e3e9488d71bc86ddf623b76a8b8c53152ad3527e8a6cce07c3372841756fe897ccc06643d48ce6f3f29feeb88a3bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za382021.exe

Filesize
862KB

MD5
4b530b1887d24f87a29a0d6bc93db3a5

SHA1
48bb1862dae02ad8acf6feedbcf9effccc899c21

SHA256
bcab749322a2e3762f87076087457feba1099f659ea5642c3d6ec0ecca70e6a6

SHA512
cd5e3ee749e519ced1f3ef12ecbf85b206e3e9488d71bc86ddf623b76a8b8c53152ad3527e8a6cce07c3372841756fe897ccc06643d48ce6f3f29feeb88a3bad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe

Filesize
679KB

MD5
341c42f795b17c4d402d521a5dc9db5f

SHA1
8ae81e85694a5d30315f1093616ff85f0b019ac7

SHA256
d2bfe2705bff1caa0ee6caae2b99e65fa710ead9b8641e7eefc93a8713e37766

SHA512
ee88570194e50502c2a2334bfab074ed5e15b8abd0fcf326e135e90f6d396fe516f06a843ec02588b7b393b29e8ede952c0a9aea31479827d67d80629bcff97a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za473721.exe

Filesize
679KB

MD5
341c42f795b17c4d402d521a5dc9db5f

SHA1
8ae81e85694a5d30315f1093616ff85f0b019ac7

SHA256
d2bfe2705bff1caa0ee6caae2b99e65fa710ead9b8641e7eefc93a8713e37766

SHA512
ee88570194e50502c2a2334bfab074ed5e15b8abd0fcf326e135e90f6d396fe516f06a843ec02588b7b393b29e8ede952c0a9aea31479827d67d80629bcff97a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe

Filesize
301KB

MD5
8f8302378182d86899cca86d3e72c5a3

SHA1
47fa91b8683bfc015b7b8553b809e8ed5e314876

SHA256
2570b2f81ec2c7bf1e7fec6b2db0049ac8514b25054815c8f8af739928dd1d91

SHA512
4c2c626973a6ceba0ca6fe9349c088f832a37e631c1b9334e7b453b0a84036fec06b2893cfe67fc2868836063c59390cf33543cacc0ef34ad20dec20c4a2b090

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\10074093.exe

Filesize
301KB

MD5
8f8302378182d86899cca86d3e72c5a3

SHA1
47fa91b8683bfc015b7b8553b809e8ed5e314876

SHA256
2570b2f81ec2c7bf1e7fec6b2db0049ac8514b25054815c8f8af739928dd1d91

SHA512
4c2c626973a6ceba0ca6fe9349c088f832a37e631c1b9334e7b453b0a84036fec06b2893cfe67fc2868836063c59390cf33543cacc0ef34ad20dec20c4a2b090

Download Submit
memory/1196-99-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-117-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-96-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-97-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-94-0x00000000047F0000-0x0000000004848000-memory.dmp

Filesize
352KB

Download
memory/1196-101-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-103-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-105-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-107-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-109-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-111-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-113-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-115-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-95-0x0000000004850000-0x00000000048A6000-memory.dmp

Filesize
344KB

Download
memory/1196-119-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-123-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-125-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-129-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-131-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-134-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1196-135-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1196-133-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1196-127-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-121-0x0000000004850000-0x00000000048A1000-memory.dmp

Filesize
324KB

Download
memory/1196-136-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/1196-137-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download