a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b

Analysis

max time kernel
356s
max time network
404s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe
Size

1.5MB
MD5

a3ab02b71a057b337d2355f2068d4e75
SHA1

35f16132d53471d600de5f0891f5542cef3c206d
SHA256

a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b
SHA512

1200be077c314b9749e1995c6b09d444f4fdd42c612c9a3d070f73d7c245d80cff407623a3c604ccb6a7c485effd073d9e80ab11c6517b8207aa3d361a8e413b
SSDEEP

24576:fySraxRllOnYdp0+fgPQlgDWMLZE1GInGEoPbZRHxaFs4xqE/JbncRandWd:qS+x/iYG3L2RnGE2FRRaQYYwY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4416	i11694761.exe
4640	i97064354.exe
4080	i82387297.exe
4024	i29675667.exe
4700	a49276426.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i97064354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i29675667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i11694761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i11694761.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i97064354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	i82387297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i82387297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	i29675667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	a49276426.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4416	3012	a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe	84
PID 3012 wrote to memory of 4416	3012	a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe	84
PID 3012 wrote to memory of 4416	3012	a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe	84
PID 4416 wrote to memory of 4640	4416	i11694761.exe	85
PID 4416 wrote to memory of 4640	4416	i11694761.exe	85
PID 4416 wrote to memory of 4640	4416	i11694761.exe	85
PID 4640 wrote to memory of 4080	4640	i97064354.exe	86
PID 4640 wrote to memory of 4080	4640	i97064354.exe	86
PID 4640 wrote to memory of 4080	4640	i97064354.exe	86
PID 4080 wrote to memory of 4024	4080	i82387297.exe	87
PID 4080 wrote to memory of 4024	4080	i82387297.exe	87
PID 4080 wrote to memory of 4024	4080	i82387297.exe	87
PID 4024 wrote to memory of 4700	4024	i29675667.exe	88
PID 4024 wrote to memory of 4700	4024	i29675667.exe	88
PID 4024 wrote to memory of 4700	4024	i29675667.exe	88

C:\Users\Admin\AppData\Local\Temp\a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe
"C:\Users\Admin\AppData\Local\Temp\a03960de823f225a14927a313fb7902a31c0008893443a425e0645165e61971b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11694761.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11694761.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i97064354.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i97064354.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i82387297.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i82387297.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29675667.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29675667.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49276426.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49276426.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11694761.exe

Filesize
1.3MB

MD5
847f0c192efd801dcd0e7562ec5c472d

SHA1
acd2fb03f3237ad49903e746a0f8c85f3645e230

SHA256
b58e2929a63eec0dd48388b67b3c2b2cc6870b82372b25b2055c4b2a995d73f8

SHA512
958e0a12402d9d2d5830bd1dff1e4b495b92136bac004e51af834a5d2ece029b4aea446f64a3e9032e05161bda8de174ce4e6bb5bcc4f63551a8d33ead6dec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i11694761.exe

Filesize
1.3MB

MD5
847f0c192efd801dcd0e7562ec5c472d

SHA1
acd2fb03f3237ad49903e746a0f8c85f3645e230

SHA256
b58e2929a63eec0dd48388b67b3c2b2cc6870b82372b25b2055c4b2a995d73f8

SHA512
958e0a12402d9d2d5830bd1dff1e4b495b92136bac004e51af834a5d2ece029b4aea446f64a3e9032e05161bda8de174ce4e6bb5bcc4f63551a8d33ead6dec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i97064354.exe

Filesize
1.1MB

MD5
5a11de31528bc201d2f0837ee572ebf3

SHA1
baba9d4cfe7553ba5351c2115fb3fe3135d4ba70

SHA256
261a6159e52512e3f57942cc5d11da83acbfffdcdabdb4ca79b1424dffb4a97d

SHA512
f81e32423f2747604d60e1e265c2bdeb20fc36146b3f70f46b52387661318106f4e4fc43b2e0486c5ae48441013efd9b3a96992e108a4e6538b307cdac131842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i97064354.exe

Filesize
1.1MB

MD5
5a11de31528bc201d2f0837ee572ebf3

SHA1
baba9d4cfe7553ba5351c2115fb3fe3135d4ba70

SHA256
261a6159e52512e3f57942cc5d11da83acbfffdcdabdb4ca79b1424dffb4a97d

SHA512
f81e32423f2747604d60e1e265c2bdeb20fc36146b3f70f46b52387661318106f4e4fc43b2e0486c5ae48441013efd9b3a96992e108a4e6538b307cdac131842

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i82387297.exe

Filesize
644KB

MD5
fb65faca1be65bf729f6bc077015d152

SHA1
cc59d20921a03d588f35b14561439155df81bbb5

SHA256
7d06f96bd17c8dace0f1f0d4bbd651c8e53a1ef2952cc5eb7d16a57308c1e006

SHA512
e56bb1d890bf7e79396da43f4b5ce459f183f2973bd0da47b7ccc3638de88beacde24c73ad419877dc2eaa0dbbfc7cbf4425e92e0bba7cf3dfb6831086ff3b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i82387297.exe

Filesize
644KB

MD5
fb65faca1be65bf729f6bc077015d152

SHA1
cc59d20921a03d588f35b14561439155df81bbb5

SHA256
7d06f96bd17c8dace0f1f0d4bbd651c8e53a1ef2952cc5eb7d16a57308c1e006

SHA512
e56bb1d890bf7e79396da43f4b5ce459f183f2973bd0da47b7ccc3638de88beacde24c73ad419877dc2eaa0dbbfc7cbf4425e92e0bba7cf3dfb6831086ff3b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29675667.exe

Filesize
386KB

MD5
13a7adae1755815dad0af55bfec2636e

SHA1
88d0823fe0b6e78eb0163d63f40c500188584ee9

SHA256
5f0d7735bb9f22b0948c2a294b0b681c02857819a43fb616eda5a681713de6c3

SHA512
b584f60e94fdcf97e16ba0f6c5e8a6c590fed51f016501293d4034643c529cc7c0f4e977fa79977c34145b8e5dd416df113579d6f0cba0f897ace6ebc8e97366

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i29675667.exe

Filesize
386KB

MD5
13a7adae1755815dad0af55bfec2636e

SHA1
88d0823fe0b6e78eb0163d63f40c500188584ee9

SHA256
5f0d7735bb9f22b0948c2a294b0b681c02857819a43fb616eda5a681713de6c3

SHA512
b584f60e94fdcf97e16ba0f6c5e8a6c590fed51f016501293d4034643c529cc7c0f4e977fa79977c34145b8e5dd416df113579d6f0cba0f897ace6ebc8e97366

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49276426.exe

Filesize
294KB

MD5
0fdacc7299b5f8428e5581fe7eac1491

SHA1
f3ffa8aaf9ebdd7bb251159c525579b3ab2d4acf

SHA256
9ff21931826eef7a9a37006be02203baa57ed5200f2ba5f2ce85d209254eb797

SHA512
0dfde6683764ff53284b721c034d00c8020c87576c262e4de97a336db3554413a53f3886a57600926faa482304d88d1d087ea17f25b19b8b8188c3c31b0dd342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a49276426.exe

Filesize
294KB

MD5
0fdacc7299b5f8428e5581fe7eac1491

SHA1
f3ffa8aaf9ebdd7bb251159c525579b3ab2d4acf

SHA256
9ff21931826eef7a9a37006be02203baa57ed5200f2ba5f2ce85d209254eb797

SHA512
0dfde6683764ff53284b721c034d00c8020c87576c262e4de97a336db3554413a53f3886a57600926faa482304d88d1d087ea17f25b19b8b8188c3c31b0dd342

Download Submit
memory/4700-180-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4700-189-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-169-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/4700-173-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4700-178-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/4700-179-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4700-171-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4700-182-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-183-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-185-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-187-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-170-0x00000000006D0000-0x00000000006FD000-memory.dmp

Filesize
180KB

Download
memory/4700-191-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-193-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-195-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-197-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-199-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-201-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-203-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-205-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-207-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-209-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/4700-210-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4700-211-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download