cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414

Analysis

max time kernel
23s
max time network
27s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-05-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe
Size

1.3MB
MD5

910d22505ba05058294d17c13d46ad9a
SHA1

c9f40009def47a5357b8a1865c5179ba10057007
SHA256

cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414
SHA512

fd0d4323b8e5b1f42bbea4c7f82d337e6eccf478582b2ba2e892376a19a70e945054f8591bf375092015b84098f13c788907c15136c61f95cf65fe8d0bef0483
SSDEEP

24576:gyo4tq+Hpu1cmTijnMftEiSWyuKWdRh06rvmoL5ouU+jIMrgIGB/crIcLsW:no4tq6p7mIctN+6rvmouMBL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za200638.exeza566314.exeza553044.exe90815824.exe

pid process

1468 za200638.exe
1304 za566314.exe
580 za553044.exe
528 90815824.exe

pid	process
1468	za200638.exe
1304	za566314.exe
580	za553044.exe
528	90815824.exe

Loads dropped DLL 8 IoCs

Processes:

cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exeza200638.exeza566314.exeza553044.exe90815824.exe

pid	process
1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe
1468	za200638.exe
1468	za200638.exe
1304	za566314.exe
1304	za566314.exe
580	za553044.exe
580	za553044.exe
528	90815824.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exeza200638.exeza566314.exeza553044.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za200638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za200638.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za566314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za566314.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za553044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za553044.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

90815824.exe

description pid process

Token: SeDebugPrivilege 528 90815824.exe

description	pid	process
Token: SeDebugPrivilege	528	90815824.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exeza200638.exeza566314.exeza553044.exe

description	pid	process	target process
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1636 wrote to memory of 1468	1636	cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe	za200638.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1468 wrote to memory of 1304	1468	za200638.exe	za566314.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 1304 wrote to memory of 580	1304	za566314.exe	za553044.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe
PID 580 wrote to memory of 528	580	za553044.exe	90815824.exe

C:\Users\Admin\AppData\Local\Temp\cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe
"C:\Users\Admin\AppData\Local\Temp\cf841a7234621227b06db407d47c51d4dd450c6a4c3c4bc1ffa0106330b76414.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
Filesize
1.2MB

MD5
3db479c71b15c521d6ef7184150ac607

SHA1
e8bc060b7332b4678b6af81a8f18e947e14e688c

SHA256
bcf9d52ea84d7b8beab6d7cc97e98c48a7e074f4a0c9390c762f5ea1872c8fb7

SHA512
736ea729366a4286f0df7ccff4ade94b39022b71c11f51543e20470976b8daffd02127dd1edf66897dea5b60cd0710dc11ae6169945ef49d7d089655ea66cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
Filesize
1.2MB

MD5
3db479c71b15c521d6ef7184150ac607

SHA1
e8bc060b7332b4678b6af81a8f18e947e14e688c

SHA256
bcf9d52ea84d7b8beab6d7cc97e98c48a7e074f4a0c9390c762f5ea1872c8fb7

SHA512
736ea729366a4286f0df7ccff4ade94b39022b71c11f51543e20470976b8daffd02127dd1edf66897dea5b60cd0710dc11ae6169945ef49d7d089655ea66cf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
Filesize
738KB

MD5
62ea98bd2bf76f275fcc29f5a6b73221

SHA1
a1a377747a262eea207251587403b66e75edf116

SHA256
180c89324f4a619663d4d248a412be6e55f7f6f7ce5deac35e1e6a32f8631cf3

SHA512
dd957960e9b379ba32b677a8c27470e53e458b509219cde68a47b50b2d3032a58bf829a902944f6f7bf002a66536344d874c48d4dddeb0ad6e01bb0a80e4bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
Filesize
738KB

MD5
62ea98bd2bf76f275fcc29f5a6b73221

SHA1
a1a377747a262eea207251587403b66e75edf116

SHA256
180c89324f4a619663d4d248a412be6e55f7f6f7ce5deac35e1e6a32f8631cf3

SHA512
dd957960e9b379ba32b677a8c27470e53e458b509219cde68a47b50b2d3032a58bf829a902944f6f7bf002a66536344d874c48d4dddeb0ad6e01bb0a80e4bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
Filesize
555KB

MD5
8753aa8ba847c87851e13e4561f79dc3

SHA1
87b9909f8b802640239ede588019b95e70742aec

SHA256
365b5bada01928029e2261b9d4a8bb121cd6c6ab6726fa1ac7ab318aaf43c844

SHA512
517145dfe5d5b6068f09a4d064797755fcb5c7f8597f334bb2791bdf561fb69d2241e0641d7f4cd65fa80c0c3ff2b87a82dfc3ed6d4cfa79313a6a5ac08fa7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
Filesize
555KB

MD5
8753aa8ba847c87851e13e4561f79dc3

SHA1
87b9909f8b802640239ede588019b95e70742aec

SHA256
365b5bada01928029e2261b9d4a8bb121cd6c6ab6726fa1ac7ab318aaf43c844

SHA512
517145dfe5d5b6068f09a4d064797755fcb5c7f8597f334bb2791bdf561fb69d2241e0641d7f4cd65fa80c0c3ff2b87a82dfc3ed6d4cfa79313a6a5ac08fa7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
Filesize
303KB

MD5
d5a3150e7865b1c6d445d42fd1340051

SHA1
564450d62a6140b0e0b3ce1dac50a583c8eae0e4

SHA256
dd50c608e1ea2b6e0138551f8cf664e1ebeebd045e8f161bbfe35e07f5804121

SHA512
b0c1e2f39fc02f77149edb33fb249c8c86250eacea5696cb8b7f1eb29822a47412e09511bf3c77a119c0e27893299041da0dd033343d99f9d55add3b2552fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
Filesize
303KB

MD5
d5a3150e7865b1c6d445d42fd1340051

SHA1
564450d62a6140b0e0b3ce1dac50a583c8eae0e4

SHA256
dd50c608e1ea2b6e0138551f8cf664e1ebeebd045e8f161bbfe35e07f5804121

SHA512
b0c1e2f39fc02f77149edb33fb249c8c86250eacea5696cb8b7f1eb29822a47412e09511bf3c77a119c0e27893299041da0dd033343d99f9d55add3b2552fd3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
Filesize
1.2MB

MD5
3db479c71b15c521d6ef7184150ac607

SHA1
e8bc060b7332b4678b6af81a8f18e947e14e688c

SHA256
bcf9d52ea84d7b8beab6d7cc97e98c48a7e074f4a0c9390c762f5ea1872c8fb7

SHA512
736ea729366a4286f0df7ccff4ade94b39022b71c11f51543e20470976b8daffd02127dd1edf66897dea5b60cd0710dc11ae6169945ef49d7d089655ea66cf8a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za200638.exe
Filesize
1.2MB

MD5
3db479c71b15c521d6ef7184150ac607

SHA1
e8bc060b7332b4678b6af81a8f18e947e14e688c

SHA256
bcf9d52ea84d7b8beab6d7cc97e98c48a7e074f4a0c9390c762f5ea1872c8fb7

SHA512
736ea729366a4286f0df7ccff4ade94b39022b71c11f51543e20470976b8daffd02127dd1edf66897dea5b60cd0710dc11ae6169945ef49d7d089655ea66cf8a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
Filesize
738KB

MD5
62ea98bd2bf76f275fcc29f5a6b73221

SHA1
a1a377747a262eea207251587403b66e75edf116

SHA256
180c89324f4a619663d4d248a412be6e55f7f6f7ce5deac35e1e6a32f8631cf3

SHA512
dd957960e9b379ba32b677a8c27470e53e458b509219cde68a47b50b2d3032a58bf829a902944f6f7bf002a66536344d874c48d4dddeb0ad6e01bb0a80e4bc75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za566314.exe
Filesize
738KB

MD5
62ea98bd2bf76f275fcc29f5a6b73221

SHA1
a1a377747a262eea207251587403b66e75edf116

SHA256
180c89324f4a619663d4d248a412be6e55f7f6f7ce5deac35e1e6a32f8631cf3

SHA512
dd957960e9b379ba32b677a8c27470e53e458b509219cde68a47b50b2d3032a58bf829a902944f6f7bf002a66536344d874c48d4dddeb0ad6e01bb0a80e4bc75

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
Filesize
555KB

MD5
8753aa8ba847c87851e13e4561f79dc3

SHA1
87b9909f8b802640239ede588019b95e70742aec

SHA256
365b5bada01928029e2261b9d4a8bb121cd6c6ab6726fa1ac7ab318aaf43c844

SHA512
517145dfe5d5b6068f09a4d064797755fcb5c7f8597f334bb2791bdf561fb69d2241e0641d7f4cd65fa80c0c3ff2b87a82dfc3ed6d4cfa79313a6a5ac08fa7b1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za553044.exe
Filesize
555KB

MD5
8753aa8ba847c87851e13e4561f79dc3

SHA1
87b9909f8b802640239ede588019b95e70742aec

SHA256
365b5bada01928029e2261b9d4a8bb121cd6c6ab6726fa1ac7ab318aaf43c844

SHA512
517145dfe5d5b6068f09a4d064797755fcb5c7f8597f334bb2791bdf561fb69d2241e0641d7f4cd65fa80c0c3ff2b87a82dfc3ed6d4cfa79313a6a5ac08fa7b1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
Filesize
303KB

MD5
d5a3150e7865b1c6d445d42fd1340051

SHA1
564450d62a6140b0e0b3ce1dac50a583c8eae0e4

SHA256
dd50c608e1ea2b6e0138551f8cf664e1ebeebd045e8f161bbfe35e07f5804121

SHA512
b0c1e2f39fc02f77149edb33fb249c8c86250eacea5696cb8b7f1eb29822a47412e09511bf3c77a119c0e27893299041da0dd033343d99f9d55add3b2552fd3b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\90815824.exe
Filesize
303KB

MD5
d5a3150e7865b1c6d445d42fd1340051

SHA1
564450d62a6140b0e0b3ce1dac50a583c8eae0e4

SHA256
dd50c608e1ea2b6e0138551f8cf664e1ebeebd045e8f161bbfe35e07f5804121

SHA512
b0c1e2f39fc02f77149edb33fb249c8c86250eacea5696cb8b7f1eb29822a47412e09511bf3c77a119c0e27893299041da0dd033343d99f9d55add3b2552fd3b

Download Submit
memory/528-147-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-123-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-109-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-129-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-127-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-139-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-141-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-137-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-135-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-143-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-133-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-145-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-94-0x00000000047B0000-0x0000000004808000-memory.dmp

Filesize
352KB

Download
memory/528-155-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-159-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-157-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-153-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-151-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-149-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-131-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-125-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-95-0x0000000004810000-0x0000000004866000-memory.dmp

Filesize
344KB

Download
memory/528-121-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-119-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-205-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/528-206-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/528-204-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/528-117-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-115-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-113-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-111-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-107-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-105-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-103-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-101-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-99-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-97-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-96-0x0000000004810000-0x0000000004861000-memory.dmp

Filesize
324KB

Download
memory/528-207-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/528-208-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/528-209-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads