3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe
Size

1.5MB
MD5

5cf80a422ac70d2ef31d8caaeacf1dbb
SHA1

d0a7e6472f109138ca1268a70c58e808081dbc9c
SHA256

3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c
SHA512

796e5be71c9ec8dbaa9ce75d695e7a476ee64f7af3912f7ad446432927d56b1d33508880c0875c9d9c8265558bb090bc55c363a3818c497cfa174d5b1ed5708e
SSDEEP

24576:hyd5UW5CtANu9CNtu2V6jtEoJ31Vp3zfOjljihSFe91gp+xs3k5th6fCD:UbUzD9OtVV4tEoJ3LBYjihSFe91z63eI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za234591.exeza896020.exeza396102.exe34234057.exe

pid process

1752 za234591.exe
528 za896020.exe
464 za396102.exe
696 34234057.exe

pid	process
1752	za234591.exe
528	za896020.exe
464	za396102.exe
696	34234057.exe

Loads dropped DLL 8 IoCs

Processes:

3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exeza234591.exeza896020.exeza396102.exe34234057.exe

pid	process
1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe
1752	za234591.exe
1752	za234591.exe
528	za896020.exe
528	za896020.exe
464	za396102.exe
464	za396102.exe
696	34234057.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za896020.exeza396102.exe3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exeza234591.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za896020.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za396102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za396102.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za234591.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za234591.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za896020.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

34234057.exe

description pid process

Token: SeDebugPrivilege 696 34234057.exe

description	pid	process
Token: SeDebugPrivilege	696	34234057.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exeza234591.exeza896020.exeza396102.exe

description	pid	process	target process
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1128 wrote to memory of 1752	1128	3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe	za234591.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 1752 wrote to memory of 528	1752	za234591.exe	za896020.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 528 wrote to memory of 464	528	za896020.exe	za396102.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe
PID 464 wrote to memory of 696	464	za396102.exe	34234057.exe

C:\Users\Admin\AppData\Local\Temp\3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe
"C:\Users\Admin\AppData\Local\Temp\3c5534bae4956c48c8505a2a7f72c4874d73e15326870f0f86d889439b9f0a1c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe

Filesize
1.3MB

MD5
34bf9627dfd09c71a8e680c26f17370a

SHA1
14de81d69264c8a35f80dcf637252bfe80f502e7

SHA256
415332b84b6e93b1079ab9b7cd922b08aa818a8382b47965c706a0918b3f7877

SHA512
644dd3482ce1551e48d8cda7d50510b80de834ca59a85ed6ae751f340375fe6e4338c8f698b87b5e7d0412062fc4b27d360c58cc27ccbb4cf1c1ef0bfd7d9f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe

Filesize
1.3MB

MD5
34bf9627dfd09c71a8e680c26f17370a

SHA1
14de81d69264c8a35f80dcf637252bfe80f502e7

SHA256
415332b84b6e93b1079ab9b7cd922b08aa818a8382b47965c706a0918b3f7877

SHA512
644dd3482ce1551e48d8cda7d50510b80de834ca59a85ed6ae751f340375fe6e4338c8f698b87b5e7d0412062fc4b27d360c58cc27ccbb4cf1c1ef0bfd7d9f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe

Filesize
882KB

MD5
2d6949c88a020335a4484f0e47dbcf20

SHA1
b271df6768617d87c94bdb23d2f17a8725d7f8dc

SHA256
b0e1e38c29c9f1b2f47ab0055f1754f17dc3146453b5e78c4c1dfbc6b3fbbea6

SHA512
aeed4a28b9be474f95d98428bb44a66cfe8dfbb593970fe460f52fefb23dae759b13974a98ba45e6048fcf4b91fc98408dac4f7dfe6cd468441475785a0d8ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe

Filesize
882KB

MD5
2d6949c88a020335a4484f0e47dbcf20

SHA1
b271df6768617d87c94bdb23d2f17a8725d7f8dc

SHA256
b0e1e38c29c9f1b2f47ab0055f1754f17dc3146453b5e78c4c1dfbc6b3fbbea6

SHA512
aeed4a28b9be474f95d98428bb44a66cfe8dfbb593970fe460f52fefb23dae759b13974a98ba45e6048fcf4b91fc98408dac4f7dfe6cd468441475785a0d8ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe

Filesize
699KB

MD5
3ae238bdd980168b468dfa79df8dffbc

SHA1
a46441997d70bb1a14dc3a4dfb17a86d9cf66aa9

SHA256
f1466129789485fa5bb0d307d22ba5f8fa8559c7e63e4b6713a1b0ef9a1a1201

SHA512
0b4a8a581fb60efbacec02ad1ccf05f00fc40af95cc3ae9fadd4558d21b789aedf83a4501789e2d326ffbe43133cec9ebc5bf9b2d0c4de96c34bccb81ca9dd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe

Filesize
699KB

MD5
3ae238bdd980168b468dfa79df8dffbc

SHA1
a46441997d70bb1a14dc3a4dfb17a86d9cf66aa9

SHA256
f1466129789485fa5bb0d307d22ba5f8fa8559c7e63e4b6713a1b0ef9a1a1201

SHA512
0b4a8a581fb60efbacec02ad1ccf05f00fc40af95cc3ae9fadd4558d21b789aedf83a4501789e2d326ffbe43133cec9ebc5bf9b2d0c4de96c34bccb81ca9dd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe

Filesize
300KB

MD5
c99cf139d5b25569c6d1b4bcbe411b6e

SHA1
bac737cfa5f66c0f82c16f89e851c3f69b442f1e

SHA256
3f9836f041597fc734a5684a19fffef9bdc3bf8908f6bc1d6a48d319d80d4770

SHA512
7c873e808c56c7df9c5aad227ee59e90898dc3e4639e047420ab8bcd8b3b8666b63fb57b7e5c1887df522e148649687bc2a519da87ba9f6121478eaa322963ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe

Filesize
300KB

MD5
c99cf139d5b25569c6d1b4bcbe411b6e

SHA1
bac737cfa5f66c0f82c16f89e851c3f69b442f1e

SHA256
3f9836f041597fc734a5684a19fffef9bdc3bf8908f6bc1d6a48d319d80d4770

SHA512
7c873e808c56c7df9c5aad227ee59e90898dc3e4639e047420ab8bcd8b3b8666b63fb57b7e5c1887df522e148649687bc2a519da87ba9f6121478eaa322963ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe

Filesize
1.3MB

MD5
34bf9627dfd09c71a8e680c26f17370a

SHA1
14de81d69264c8a35f80dcf637252bfe80f502e7

SHA256
415332b84b6e93b1079ab9b7cd922b08aa818a8382b47965c706a0918b3f7877

SHA512
644dd3482ce1551e48d8cda7d50510b80de834ca59a85ed6ae751f340375fe6e4338c8f698b87b5e7d0412062fc4b27d360c58cc27ccbb4cf1c1ef0bfd7d9f03

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za234591.exe

Filesize
1.3MB

MD5
34bf9627dfd09c71a8e680c26f17370a

SHA1
14de81d69264c8a35f80dcf637252bfe80f502e7

SHA256
415332b84b6e93b1079ab9b7cd922b08aa818a8382b47965c706a0918b3f7877

SHA512
644dd3482ce1551e48d8cda7d50510b80de834ca59a85ed6ae751f340375fe6e4338c8f698b87b5e7d0412062fc4b27d360c58cc27ccbb4cf1c1ef0bfd7d9f03

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe

Filesize
882KB

MD5
2d6949c88a020335a4484f0e47dbcf20

SHA1
b271df6768617d87c94bdb23d2f17a8725d7f8dc

SHA256
b0e1e38c29c9f1b2f47ab0055f1754f17dc3146453b5e78c4c1dfbc6b3fbbea6

SHA512
aeed4a28b9be474f95d98428bb44a66cfe8dfbb593970fe460f52fefb23dae759b13974a98ba45e6048fcf4b91fc98408dac4f7dfe6cd468441475785a0d8ee7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za896020.exe

Filesize
882KB

MD5
2d6949c88a020335a4484f0e47dbcf20

SHA1
b271df6768617d87c94bdb23d2f17a8725d7f8dc

SHA256
b0e1e38c29c9f1b2f47ab0055f1754f17dc3146453b5e78c4c1dfbc6b3fbbea6

SHA512
aeed4a28b9be474f95d98428bb44a66cfe8dfbb593970fe460f52fefb23dae759b13974a98ba45e6048fcf4b91fc98408dac4f7dfe6cd468441475785a0d8ee7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe

Filesize
699KB

MD5
3ae238bdd980168b468dfa79df8dffbc

SHA1
a46441997d70bb1a14dc3a4dfb17a86d9cf66aa9

SHA256
f1466129789485fa5bb0d307d22ba5f8fa8559c7e63e4b6713a1b0ef9a1a1201

SHA512
0b4a8a581fb60efbacec02ad1ccf05f00fc40af95cc3ae9fadd4558d21b789aedf83a4501789e2d326ffbe43133cec9ebc5bf9b2d0c4de96c34bccb81ca9dd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za396102.exe

Filesize
699KB

MD5
3ae238bdd980168b468dfa79df8dffbc

SHA1
a46441997d70bb1a14dc3a4dfb17a86d9cf66aa9

SHA256
f1466129789485fa5bb0d307d22ba5f8fa8559c7e63e4b6713a1b0ef9a1a1201

SHA512
0b4a8a581fb60efbacec02ad1ccf05f00fc40af95cc3ae9fadd4558d21b789aedf83a4501789e2d326ffbe43133cec9ebc5bf9b2d0c4de96c34bccb81ca9dd35

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe

Filesize
300KB

MD5
c99cf139d5b25569c6d1b4bcbe411b6e

SHA1
bac737cfa5f66c0f82c16f89e851c3f69b442f1e

SHA256
3f9836f041597fc734a5684a19fffef9bdc3bf8908f6bc1d6a48d319d80d4770

SHA512
7c873e808c56c7df9c5aad227ee59e90898dc3e4639e047420ab8bcd8b3b8666b63fb57b7e5c1887df522e148649687bc2a519da87ba9f6121478eaa322963ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\34234057.exe

Filesize
300KB

MD5
c99cf139d5b25569c6d1b4bcbe411b6e

SHA1
bac737cfa5f66c0f82c16f89e851c3f69b442f1e

SHA256
3f9836f041597fc734a5684a19fffef9bdc3bf8908f6bc1d6a48d319d80d4770

SHA512
7c873e808c56c7df9c5aad227ee59e90898dc3e4639e047420ab8bcd8b3b8666b63fb57b7e5c1887df522e148649687bc2a519da87ba9f6121478eaa322963ac

Download Submit
memory/696-121-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-153-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-96-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-97-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-105-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-107-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-109-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-115-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-117-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-113-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-94-0x0000000002120000-0x0000000002178000-memory.dmp

Filesize
352KB

Download
memory/696-127-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-129-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-135-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-139-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-137-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-143-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-147-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-151-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-95-0x00000000021E0000-0x0000000002236000-memory.dmp

Filesize
344KB

Download
memory/696-155-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-159-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/696-158-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/696-157-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/696-149-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-145-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-141-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-133-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-131-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-125-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-123-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-119-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-111-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-103-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-101-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-99-0x00000000021E0000-0x0000000002231000-memory.dmp

Filesize
324KB

Download
memory/696-160-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/696-161-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/696-162-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download