b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074

Analysis

max time kernel
229s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Size

913KB
MD5

86e0fb117a961899da25cc5cbc88cdc2
SHA1

05f5b3cd44a736bc3e4942567d7bb890a8290261
SHA256

b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074
SHA512

5e5bc9e9e73cdb3062a39ea5396e9674ed2aa516143eddb7a872e9e3a33899fa9a33d6c8f50a6871da924ac87ffad5a480a42fef2c1abfaa5704b3b115d17e4e
SSDEEP

24576:Cy0qjc7UAZ0ZWetCnlTOQ2dJ1OGpQMpebNskg:p05UU0Zbt4laQ+J1Tte

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2628	st457823.exe
4676	63758606.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	st457823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st457823.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	63758606.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2628	3300	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	80
PID 3300 wrote to memory of 2628	3300	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	80
PID 3300 wrote to memory of 2628	3300	b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe	80
PID 2628 wrote to memory of 4676	2628	st457823.exe	81
PID 2628 wrote to memory of 4676	2628	st457823.exe	81
PID 2628 wrote to memory of 4676	2628	st457823.exe	81

C:\Users\Admin\AppData\Local\Temp\b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe
"C:\Users\Admin\AppData\Local\Temp\b830b381d22b93411dd3c53ffa12dc1243207100abcf802b7258610c8156c074.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st457823.exe

Filesize
759KB

MD5
5a7194152aa0f8c1d432b7cec4a56f96

SHA1
2927c006a47f9a016f2ccd79898cebb822beb0a6

SHA256
6ac86183cc79a5171246fd979ec00736dbf020e80a8c532e154abb08f50b797a

SHA512
d88e2442b29fc83337b1bc94244dfe5d18eba2ca8700e96621da4d66e68947a1d8f2487f9d0b3c053ef1444affca5fdb14e814c1f026b456f4272f4d169dbc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63758606.exe

Filesize
300KB

MD5
c145750c108f1c6e3fd39178c6bcb800

SHA1
dd729806c28492c16d67941ddd36c0051ed296ce

SHA256
073ed2ce46097218fe1dad15b7735c4df00ce62ed38f940f0c778081b8709a86

SHA512
ed13cc8c815eb8764f7e00b90691ac8ff33facc9264ced10afff1853f072d1e07de2044d73a81c6b9fb60d566dbb9b210915d9486fa5db9332c16ef39bf77b86

Download Submit
memory/4676-148-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/4676-149-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-147-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-150-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-151-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-152-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-154-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-156-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-158-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-160-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-162-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-164-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-166-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-168-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-188-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-192-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-194-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-196-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-198-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-200-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-202-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-204-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-206-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-208-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-210-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-212-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-214-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4676-2279-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-2280-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-2281-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4676-2282-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download