602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a

Analysis

max time kernel
142s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe
Size

1.2MB
MD5

99c88e4ed8b1df13a7ad50a0db8e7169
SHA1

98325c9698978df1c8cbf9e787d373ad25550c6e
SHA256

602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a
SHA512

9c512d95256128595beaf30f383f7b7caf05d6dfbcaabfcfb69c13165db2c077d8a193767e739d4e507eb940bfbc13187afa5e59fd2becc2c0c1cda12b9e9cfd
SSDEEP

24576:xy97vBcO04E3JDInMYKGPA//xvsQYn7DJM0LYv6EB7di0KMF4tm72dpm7:k99n0n3JDInMHZnJsT/8v6k00KpY2d

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

z38986627.exez07831119.exez07473793.exes56665980.exe

pid process

1676 z38986627.exe
284 z07831119.exe
1632 z07473793.exe
864 s56665980.exe

pid	process
1676	z38986627.exe
284	z07831119.exe
1632	z07473793.exe
864	s56665980.exe

Loads dropped DLL 9 IoCs

Processes:

602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exez38986627.exez07831119.exez07473793.exes56665980.exe

pid	process
2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe
1676	z38986627.exe
1676	z38986627.exe
284	z07831119.exe
284	z07831119.exe
1632	z07473793.exe
1632	z07473793.exe
1632	z07473793.exe
864	s56665980.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z07473793.exe602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exez38986627.exez07831119.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z07473793.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z07473793.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z38986627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z38986627.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z07831119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z07831119.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

s56665980.exe

description pid process

Token: SeDebugPrivilege 864 s56665980.exe

description	pid	process
Token: SeDebugPrivilege	864	s56665980.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exez38986627.exez07831119.exez07473793.exe

description	pid	process	target process
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 2032 wrote to memory of 1676	2032	602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe	z38986627.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 1676 wrote to memory of 284	1676	z38986627.exe	z07831119.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 284 wrote to memory of 1632	284	z07831119.exe	z07473793.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe
PID 1632 wrote to memory of 864	1632	z07473793.exe	s56665980.exe

C:\Users\Admin\AppData\Local\Temp\602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe
"C:\Users\Admin\AppData\Local\Temp\602146da46afad36acd9f5d7ff071282009bc87c13b710e36308ae910777769a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:284

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe

Filesize
1.0MB

MD5
4a7fda9f82580da3aff9e3b5af8426b2

SHA1
9ac65838bfd29108989c973dff1cbde82b2a4c75

SHA256
bd08a4daa487f47d7e4bcff2c72e3961e48a8e68ef18fa0fca86409825a928b1

SHA512
eae4da450b23fadeaa28344f4a78fca37d69c7bf7c93d0b39fd63e6733d9a33ed74d04a3410a7684dd3c909a999a5c8aee0e02f70619a159174d470501f1af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe

Filesize
1.0MB

MD5
4a7fda9f82580da3aff9e3b5af8426b2

SHA1
9ac65838bfd29108989c973dff1cbde82b2a4c75

SHA256
bd08a4daa487f47d7e4bcff2c72e3961e48a8e68ef18fa0fca86409825a928b1

SHA512
eae4da450b23fadeaa28344f4a78fca37d69c7bf7c93d0b39fd63e6733d9a33ed74d04a3410a7684dd3c909a999a5c8aee0e02f70619a159174d470501f1af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe

Filesize
759KB

MD5
3d728c324a7d1eaf8fea21b99dcb60bf

SHA1
a4498292f657075a81a13e02e34849fa02d1bf73

SHA256
296249c84cad9df5cae9c864f055b65b6ad30e24220ba27d361b1b80c2d9924f

SHA512
e2c674192fcfc8ae92c7c2cb7894fc11d3eca70c76b39be70be3e9d19b1256c5746e0e583d58f99f70b73010a399b1b6f5f99d9eb19c0a73a48d1fbe661ca21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe

Filesize
759KB

MD5
3d728c324a7d1eaf8fea21b99dcb60bf

SHA1
a4498292f657075a81a13e02e34849fa02d1bf73

SHA256
296249c84cad9df5cae9c864f055b65b6ad30e24220ba27d361b1b80c2d9924f

SHA512
e2c674192fcfc8ae92c7c2cb7894fc11d3eca70c76b39be70be3e9d19b1256c5746e0e583d58f99f70b73010a399b1b6f5f99d9eb19c0a73a48d1fbe661ca21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe

Filesize
577KB

MD5
bf8fc2f3043441caff36c89a7a327f47

SHA1
ba66a9453409263d8c41a948b742f7be89916c88

SHA256
7543680ec6cfe349b00679846c64590598cf5933baea8d50a69c15aa252be8dc

SHA512
ebb4d29417e80d305416ddaba0791e21854b83f003a68fe664eb2b906b804ab3e4b1ff94133cc58b749bedd73da15eb116312369400b0cb9e7a01823509bb5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe

Filesize
577KB

MD5
bf8fc2f3043441caff36c89a7a327f47

SHA1
ba66a9453409263d8c41a948b742f7be89916c88

SHA256
7543680ec6cfe349b00679846c64590598cf5933baea8d50a69c15aa252be8dc

SHA512
ebb4d29417e80d305416ddaba0791e21854b83f003a68fe664eb2b906b804ab3e4b1ff94133cc58b749bedd73da15eb116312369400b0cb9e7a01823509bb5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe

Filesize
1.0MB

MD5
4a7fda9f82580da3aff9e3b5af8426b2

SHA1
9ac65838bfd29108989c973dff1cbde82b2a4c75

SHA256
bd08a4daa487f47d7e4bcff2c72e3961e48a8e68ef18fa0fca86409825a928b1

SHA512
eae4da450b23fadeaa28344f4a78fca37d69c7bf7c93d0b39fd63e6733d9a33ed74d04a3410a7684dd3c909a999a5c8aee0e02f70619a159174d470501f1af69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z38986627.exe

Filesize
1.0MB

MD5
4a7fda9f82580da3aff9e3b5af8426b2

SHA1
9ac65838bfd29108989c973dff1cbde82b2a4c75

SHA256
bd08a4daa487f47d7e4bcff2c72e3961e48a8e68ef18fa0fca86409825a928b1

SHA512
eae4da450b23fadeaa28344f4a78fca37d69c7bf7c93d0b39fd63e6733d9a33ed74d04a3410a7684dd3c909a999a5c8aee0e02f70619a159174d470501f1af69

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe

Filesize
759KB

MD5
3d728c324a7d1eaf8fea21b99dcb60bf

SHA1
a4498292f657075a81a13e02e34849fa02d1bf73

SHA256
296249c84cad9df5cae9c864f055b65b6ad30e24220ba27d361b1b80c2d9924f

SHA512
e2c674192fcfc8ae92c7c2cb7894fc11d3eca70c76b39be70be3e9d19b1256c5746e0e583d58f99f70b73010a399b1b6f5f99d9eb19c0a73a48d1fbe661ca21d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z07831119.exe

Filesize
759KB

MD5
3d728c324a7d1eaf8fea21b99dcb60bf

SHA1
a4498292f657075a81a13e02e34849fa02d1bf73

SHA256
296249c84cad9df5cae9c864f055b65b6ad30e24220ba27d361b1b80c2d9924f

SHA512
e2c674192fcfc8ae92c7c2cb7894fc11d3eca70c76b39be70be3e9d19b1256c5746e0e583d58f99f70b73010a399b1b6f5f99d9eb19c0a73a48d1fbe661ca21d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe

Filesize
577KB

MD5
bf8fc2f3043441caff36c89a7a327f47

SHA1
ba66a9453409263d8c41a948b742f7be89916c88

SHA256
7543680ec6cfe349b00679846c64590598cf5933baea8d50a69c15aa252be8dc

SHA512
ebb4d29417e80d305416ddaba0791e21854b83f003a68fe664eb2b906b804ab3e4b1ff94133cc58b749bedd73da15eb116312369400b0cb9e7a01823509bb5fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\z07473793.exe

Filesize
577KB

MD5
bf8fc2f3043441caff36c89a7a327f47

SHA1
ba66a9453409263d8c41a948b742f7be89916c88

SHA256
7543680ec6cfe349b00679846c64590598cf5933baea8d50a69c15aa252be8dc

SHA512
ebb4d29417e80d305416ddaba0791e21854b83f003a68fe664eb2b906b804ab3e4b1ff94133cc58b749bedd73da15eb116312369400b0cb9e7a01823509bb5fb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\s56665980.exe

Filesize
574KB

MD5
24000f5e4687d7e5db9cd73b70807930

SHA1
32ef526807bbd6488fb8bb358001b6ee23c89779

SHA256
591aff00e997ee3895768a4698c8555105239814c995152fd7b9ab475ac485e4

SHA512
6dee95fe477f345a0824eb3eb8a5f5fa1f5d4b19f8c6177bb5f2d192ec54bade00e267213c980f45e173235978627e47ffda9d763afc8b9aeffce830861ca6c8

Download Submit
memory/864-111-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-129-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-100-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-101-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-103-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-105-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-107-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-109-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-98-0x00000000022F0000-0x0000000002358000-memory.dmp

Filesize
416KB

Download
memory/864-113-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-115-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-117-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-119-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-121-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-123-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-125-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-127-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-99-0x0000000002590000-0x00000000025F6000-memory.dmp

Filesize
408KB

Download
memory/864-131-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-133-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-137-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-135-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-141-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-147-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-150-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/864-149-0x00000000008B0000-0x000000000090B000-memory.dmp

Filesize
364KB

Download
memory/864-151-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/864-145-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-143-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-139-0x0000000002590000-0x00000000025F0000-memory.dmp

Filesize
384KB

Download
memory/864-152-0x0000000000400000-0x0000000000835000-memory.dmp

Filesize
4.2MB

Download
memory/864-153-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/864-154-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/864-155-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download