611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe
Size

1.1MB
MD5

9a0c78cb71747aa0155b30767ff37465
SHA1

5685b9dd948650c1cd253fa842e6e0a9ce7f3533
SHA256

611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866
SHA512

cb55a83c2bdf8fac8b3d60b0a79c0fec546dc18c6d250815fd7ba7ab4491f8c1a5fcc2f0e10d2c6d8b656b578acd897cc39c8573da153a81204a432200097415
SSDEEP

24576:LyKXFcNN5zX51+NuqK7scVAk1kpCk4CD5hAKRoMPxq:+KXEzJOFK7sI96pT4CYKRL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1336	y4684184.exe
1628	y0640126.exe
968	k9838543.exe

Loads dropped DLL 6 IoCs

pid	Process
1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe
1336	y4684184.exe
1336	y4684184.exe
1628	y0640126.exe
1628	y0640126.exe
968	k9838543.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4684184.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0640126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0640126.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4684184.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1344 wrote to memory of 1336	1344	611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe	28
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1336 wrote to memory of 1628	1336	y4684184.exe	29
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30
PID 1628 wrote to memory of 968	1628	y0640126.exe	30

C:\Users\Admin\AppData\Local\Temp\611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe
"C:\Users\Admin\AppData\Local\Temp\611fbff22d746714143bdeca43c81f80d6844becf519d64d3f44367e87f06866.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe

Filesize
604KB

MD5
ff8bb0afdf01492316a782ffe6b4085c

SHA1
ba3874db249172998c3d2eefb39ce390f1bbacda

SHA256
4d840b9b264f3056b261b29ab58f33baf4b3b96ceefaa873c2fc4bfa6e8ba0e2

SHA512
49eab156737b95bc78335cd04c0238ad8667aa47cfc82ef86e4dcf09f3cb207a5b3d1bb07ee0efce8e4ca8489f1f0a26da9842806055682cf49d6f79f172cdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe

Filesize
604KB

MD5
ff8bb0afdf01492316a782ffe6b4085c

SHA1
ba3874db249172998c3d2eefb39ce390f1bbacda

SHA256
4d840b9b264f3056b261b29ab58f33baf4b3b96ceefaa873c2fc4bfa6e8ba0e2

SHA512
49eab156737b95bc78335cd04c0238ad8667aa47cfc82ef86e4dcf09f3cb207a5b3d1bb07ee0efce8e4ca8489f1f0a26da9842806055682cf49d6f79f172cdf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe

Filesize
399KB

MD5
ee391acb5080f011ac10ccbb517f24bd

SHA1
a111d52ee0da23883641d7f015dfa883e8cb6e08

SHA256
70403f141a1c55189e90b2231b67aac6fcd0144db8e56a054af9e4047bc5d92d

SHA512
cc47d2b3d1de2e0c047f9ea1e58dffffc67b41b00773bfa1c44bcd7aba25ec12b8feee4f400fa9714633e4c646b78182be57ca924865eca826f6a23092e58bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe

Filesize
399KB

MD5
ee391acb5080f011ac10ccbb517f24bd

SHA1
a111d52ee0da23883641d7f015dfa883e8cb6e08

SHA256
70403f141a1c55189e90b2231b67aac6fcd0144db8e56a054af9e4047bc5d92d

SHA512
cc47d2b3d1de2e0c047f9ea1e58dffffc67b41b00773bfa1c44bcd7aba25ec12b8feee4f400fa9714633e4c646b78182be57ca924865eca826f6a23092e58bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe

Filesize
136KB

MD5
2c7c844f271cac8a1f427a54c4d6d889

SHA1
7b1e816a5dd37076e3acd8049103fed3b9bca718

SHA256
a61c78e2f4784c941c84e860f31a23f467008096a402b0de012937ad5d61a586

SHA512
47179a766e59d53ec68f7f4a570bbe5237ab186f07c3a887d016367b19347fe7e5c0c118c3636f06c563a9f969b051edbaaa8793515da38d19661c874f375891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe

Filesize
136KB

MD5
2c7c844f271cac8a1f427a54c4d6d889

SHA1
7b1e816a5dd37076e3acd8049103fed3b9bca718

SHA256
a61c78e2f4784c941c84e860f31a23f467008096a402b0de012937ad5d61a586

SHA512
47179a766e59d53ec68f7f4a570bbe5237ab186f07c3a887d016367b19347fe7e5c0c118c3636f06c563a9f969b051edbaaa8793515da38d19661c874f375891

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe

Filesize
604KB

MD5
ff8bb0afdf01492316a782ffe6b4085c

SHA1
ba3874db249172998c3d2eefb39ce390f1bbacda

SHA256
4d840b9b264f3056b261b29ab58f33baf4b3b96ceefaa873c2fc4bfa6e8ba0e2

SHA512
49eab156737b95bc78335cd04c0238ad8667aa47cfc82ef86e4dcf09f3cb207a5b3d1bb07ee0efce8e4ca8489f1f0a26da9842806055682cf49d6f79f172cdf0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4684184.exe

Filesize
604KB

MD5
ff8bb0afdf01492316a782ffe6b4085c

SHA1
ba3874db249172998c3d2eefb39ce390f1bbacda

SHA256
4d840b9b264f3056b261b29ab58f33baf4b3b96ceefaa873c2fc4bfa6e8ba0e2

SHA512
49eab156737b95bc78335cd04c0238ad8667aa47cfc82ef86e4dcf09f3cb207a5b3d1bb07ee0efce8e4ca8489f1f0a26da9842806055682cf49d6f79f172cdf0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe

Filesize
399KB

MD5
ee391acb5080f011ac10ccbb517f24bd

SHA1
a111d52ee0da23883641d7f015dfa883e8cb6e08

SHA256
70403f141a1c55189e90b2231b67aac6fcd0144db8e56a054af9e4047bc5d92d

SHA512
cc47d2b3d1de2e0c047f9ea1e58dffffc67b41b00773bfa1c44bcd7aba25ec12b8feee4f400fa9714633e4c646b78182be57ca924865eca826f6a23092e58bfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0640126.exe

Filesize
399KB

MD5
ee391acb5080f011ac10ccbb517f24bd

SHA1
a111d52ee0da23883641d7f015dfa883e8cb6e08

SHA256
70403f141a1c55189e90b2231b67aac6fcd0144db8e56a054af9e4047bc5d92d

SHA512
cc47d2b3d1de2e0c047f9ea1e58dffffc67b41b00773bfa1c44bcd7aba25ec12b8feee4f400fa9714633e4c646b78182be57ca924865eca826f6a23092e58bfe

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe

Filesize
136KB

MD5
2c7c844f271cac8a1f427a54c4d6d889

SHA1
7b1e816a5dd37076e3acd8049103fed3b9bca718

SHA256
a61c78e2f4784c941c84e860f31a23f467008096a402b0de012937ad5d61a586

SHA512
47179a766e59d53ec68f7f4a570bbe5237ab186f07c3a887d016367b19347fe7e5c0c118c3636f06c563a9f969b051edbaaa8793515da38d19661c874f375891

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k9838543.exe

Filesize
136KB

MD5
2c7c844f271cac8a1f427a54c4d6d889

SHA1
7b1e816a5dd37076e3acd8049103fed3b9bca718

SHA256
a61c78e2f4784c941c84e860f31a23f467008096a402b0de012937ad5d61a586

SHA512
47179a766e59d53ec68f7f4a570bbe5237ab186f07c3a887d016367b19347fe7e5c0c118c3636f06c563a9f969b051edbaaa8793515da38d19661c874f375891

Download Submit
memory/968-84-0x0000000000FC0000-0x0000000000FE8000-memory.dmp

Filesize
160KB

Download
memory/968-85-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/968-86-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download