c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe
Size

1.5MB
MD5

76a1b2259060767ed41e655aef259a83
SHA1

c8ce4b89b2f59a3399efcfc7adc370f3771c783f
SHA256

c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e
SHA512

8deeb8e6fc40e21d427f8c1904cc02215a7ed95f44a7044ca254bcb38f91a074e5d126ec4e336605db5d9ea968e8da4b6be45eb70ed05759d13550b660d9804c
SSDEEP

24576:5yNnvMY+5/E6sKitsph/BTLlImA6BxIYDG2cNnCEixLS:sNvMY4Ej7teh/9Ll3A6MYDTShIL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za313332.exeza142417.exeza718522.exe96715066.exe

pid process

1820 za313332.exe
1116 za142417.exe
764 za718522.exe
2040 96715066.exe

pid	process
1820	za313332.exe
1116	za142417.exe
764	za718522.exe
2040	96715066.exe

Loads dropped DLL 8 IoCs

Processes:

c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exeza313332.exeza142417.exeza718522.exe96715066.exe

pid	process
1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe
1820	za313332.exe
1820	za313332.exe
1116	za142417.exe
1116	za142417.exe
764	za718522.exe
764	za718522.exe
2040	96715066.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exeza313332.exeza142417.exeza718522.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za313332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za313332.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za142417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za142417.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za718522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za718522.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

96715066.exe

description pid process

Token: SeDebugPrivilege 2040 96715066.exe

description	pid	process
Token: SeDebugPrivilege	2040	96715066.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exeza313332.exeza142417.exeza718522.exe

description	pid	process	target process
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1356 wrote to memory of 1820	1356	c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe	za313332.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1820 wrote to memory of 1116	1820	za313332.exe	za142417.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 1116 wrote to memory of 764	1116	za142417.exe	za718522.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe
PID 764 wrote to memory of 2040	764	za718522.exe	96715066.exe

C:\Users\Admin\AppData\Local\Temp\c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe
"C:\Users\Admin\AppData\Local\Temp\c6a83ce6af2ff130ba0b5148140f316080cf8941f1d43c723c0b5d648fe6c49e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
Filesize
1.3MB

MD5
8b9dc0a028b79ecfd096ab0b2f07e0e4

SHA1
8ccbf0392a164b266562327af4e11cf74feb0bfe

SHA256
54710ba2f41c47eee1ae6a84ff7a21637a2b251b5f461c951fa1db838d500f38

SHA512
c5d85d96b8c1a1b6183322fd84567cab23b5eae29b7cfd896f4e294e178b6e63178e8636562ac7a1525c527790218c1a6a029dfdb779b5361b3226147d4db5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
Filesize
1.3MB

MD5
8b9dc0a028b79ecfd096ab0b2f07e0e4

SHA1
8ccbf0392a164b266562327af4e11cf74feb0bfe

SHA256
54710ba2f41c47eee1ae6a84ff7a21637a2b251b5f461c951fa1db838d500f38

SHA512
c5d85d96b8c1a1b6183322fd84567cab23b5eae29b7cfd896f4e294e178b6e63178e8636562ac7a1525c527790218c1a6a029dfdb779b5361b3226147d4db5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
Filesize
862KB

MD5
abd050d2ef4a86d0bf72289d06c04b35

SHA1
204c506725a23e65d259903683dfcde7b6f678bb

SHA256
7ae4c6aa84672e6a5ecbb5f449628adec6e379ac535ea1a6de6d2b1eb90b625d

SHA512
a1ca7d5dab6d00756b79784a506cc0c899f22475e87b849764ae3c7cf6f41f254fe9c82607e4485bb8799c7de50f1a1672077a97b032973c9c6c5c9a5a33cf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
Filesize
862KB

MD5
abd050d2ef4a86d0bf72289d06c04b35

SHA1
204c506725a23e65d259903683dfcde7b6f678bb

SHA256
7ae4c6aa84672e6a5ecbb5f449628adec6e379ac535ea1a6de6d2b1eb90b625d

SHA512
a1ca7d5dab6d00756b79784a506cc0c899f22475e87b849764ae3c7cf6f41f254fe9c82607e4485bb8799c7de50f1a1672077a97b032973c9c6c5c9a5a33cf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
Filesize
679KB

MD5
798cc7fd2ed93cdb43784b2ab97b338a

SHA1
461172926732df046049267b2bd492ccd302e4d4

SHA256
c8ee986bd72ffc3e0d14f1cb290ab95eebe24081f3e08aec895f261b9b0bb95a

SHA512
949c24eba7fdf5fc7e4dbdc286ae82245186c8b2dc3a6a5cff9bc322dcfdc6264527c99834519fc4e7f3d870f6e8e96feed900175d81dd6a184e8c2090f57401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
Filesize
679KB

MD5
798cc7fd2ed93cdb43784b2ab97b338a

SHA1
461172926732df046049267b2bd492ccd302e4d4

SHA256
c8ee986bd72ffc3e0d14f1cb290ab95eebe24081f3e08aec895f261b9b0bb95a

SHA512
949c24eba7fdf5fc7e4dbdc286ae82245186c8b2dc3a6a5cff9bc322dcfdc6264527c99834519fc4e7f3d870f6e8e96feed900175d81dd6a184e8c2090f57401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
Filesize
302KB

MD5
2fc07c95cea26314a40d3ed33975339d

SHA1
bffce2cd917add7b62d9132418177ac178835ac4

SHA256
533a4b0d23616bf5422f55b109fe3ad5d831d50ceea90863fe6fa75a73c93ea2

SHA512
7a3c10ac3cb64bcbf8ea329150f7046208e815000e7a8b992efa7f8c5ef4553b1cb3217f30a1197921fbcdab9a5c47b07a6e8c637e7e3f7ec0143189b90a2040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
Filesize
302KB

MD5
2fc07c95cea26314a40d3ed33975339d

SHA1
bffce2cd917add7b62d9132418177ac178835ac4

SHA256
533a4b0d23616bf5422f55b109fe3ad5d831d50ceea90863fe6fa75a73c93ea2

SHA512
7a3c10ac3cb64bcbf8ea329150f7046208e815000e7a8b992efa7f8c5ef4553b1cb3217f30a1197921fbcdab9a5c47b07a6e8c637e7e3f7ec0143189b90a2040

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
Filesize
1.3MB

MD5
8b9dc0a028b79ecfd096ab0b2f07e0e4

SHA1
8ccbf0392a164b266562327af4e11cf74feb0bfe

SHA256
54710ba2f41c47eee1ae6a84ff7a21637a2b251b5f461c951fa1db838d500f38

SHA512
c5d85d96b8c1a1b6183322fd84567cab23b5eae29b7cfd896f4e294e178b6e63178e8636562ac7a1525c527790218c1a6a029dfdb779b5361b3226147d4db5ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za313332.exe
Filesize
1.3MB

MD5
8b9dc0a028b79ecfd096ab0b2f07e0e4

SHA1
8ccbf0392a164b266562327af4e11cf74feb0bfe

SHA256
54710ba2f41c47eee1ae6a84ff7a21637a2b251b5f461c951fa1db838d500f38

SHA512
c5d85d96b8c1a1b6183322fd84567cab23b5eae29b7cfd896f4e294e178b6e63178e8636562ac7a1525c527790218c1a6a029dfdb779b5361b3226147d4db5ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
Filesize
862KB

MD5
abd050d2ef4a86d0bf72289d06c04b35

SHA1
204c506725a23e65d259903683dfcde7b6f678bb

SHA256
7ae4c6aa84672e6a5ecbb5f449628adec6e379ac535ea1a6de6d2b1eb90b625d

SHA512
a1ca7d5dab6d00756b79784a506cc0c899f22475e87b849764ae3c7cf6f41f254fe9c82607e4485bb8799c7de50f1a1672077a97b032973c9c6c5c9a5a33cf4f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za142417.exe
Filesize
862KB

MD5
abd050d2ef4a86d0bf72289d06c04b35

SHA1
204c506725a23e65d259903683dfcde7b6f678bb

SHA256
7ae4c6aa84672e6a5ecbb5f449628adec6e379ac535ea1a6de6d2b1eb90b625d

SHA512
a1ca7d5dab6d00756b79784a506cc0c899f22475e87b849764ae3c7cf6f41f254fe9c82607e4485bb8799c7de50f1a1672077a97b032973c9c6c5c9a5a33cf4f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
Filesize
679KB

MD5
798cc7fd2ed93cdb43784b2ab97b338a

SHA1
461172926732df046049267b2bd492ccd302e4d4

SHA256
c8ee986bd72ffc3e0d14f1cb290ab95eebe24081f3e08aec895f261b9b0bb95a

SHA512
949c24eba7fdf5fc7e4dbdc286ae82245186c8b2dc3a6a5cff9bc322dcfdc6264527c99834519fc4e7f3d870f6e8e96feed900175d81dd6a184e8c2090f57401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za718522.exe
Filesize
679KB

MD5
798cc7fd2ed93cdb43784b2ab97b338a

SHA1
461172926732df046049267b2bd492ccd302e4d4

SHA256
c8ee986bd72ffc3e0d14f1cb290ab95eebe24081f3e08aec895f261b9b0bb95a

SHA512
949c24eba7fdf5fc7e4dbdc286ae82245186c8b2dc3a6a5cff9bc322dcfdc6264527c99834519fc4e7f3d870f6e8e96feed900175d81dd6a184e8c2090f57401

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
Filesize
302KB

MD5
2fc07c95cea26314a40d3ed33975339d

SHA1
bffce2cd917add7b62d9132418177ac178835ac4

SHA256
533a4b0d23616bf5422f55b109fe3ad5d831d50ceea90863fe6fa75a73c93ea2

SHA512
7a3c10ac3cb64bcbf8ea329150f7046208e815000e7a8b992efa7f8c5ef4553b1cb3217f30a1197921fbcdab9a5c47b07a6e8c637e7e3f7ec0143189b90a2040

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\96715066.exe
Filesize
302KB

MD5
2fc07c95cea26314a40d3ed33975339d

SHA1
bffce2cd917add7b62d9132418177ac178835ac4

SHA256
533a4b0d23616bf5422f55b109fe3ad5d831d50ceea90863fe6fa75a73c93ea2

SHA512
7a3c10ac3cb64bcbf8ea329150f7046208e815000e7a8b992efa7f8c5ef4553b1cb3217f30a1197921fbcdab9a5c47b07a6e8c637e7e3f7ec0143189b90a2040

Download Submit
memory/2040-99-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-113-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-96-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-97-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-94-0x00000000048E0000-0x0000000004938000-memory.dmp

Filesize
352KB

Download
memory/2040-103-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-101-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-105-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-107-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-109-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-111-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-117-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-115-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-95-0x0000000004940000-0x0000000004996000-memory.dmp

Filesize
344KB

Download
memory/2040-121-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-119-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-125-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-123-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-129-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-127-0x0000000004940000-0x0000000004991000-memory.dmp

Filesize
324KB

Download
memory/2040-131-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2040-132-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2040-133-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2040-134-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2040-135-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads