42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
Size

1.1MB
MD5

84ff71bb33d737094a9d28a8987e3659
SHA1

ae21eea2aed54c2ee9a8034e3b263d0657f4a3a8
SHA256

42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6
SHA512

f110e6acb842901319552dd5fc79916c075124bda88763bf643de43cfddc030be4c0033269f78c53141c62f27ca035339789b45882e55325283d2aee9d323ee8
SSDEEP

24576:ky6Pw9tDwaKpyyFTSh6Apz5eYTFBXyPWf:zcw9qzy+TSh6G7FBXy

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
848	y2489530.exe
1840	y5049967.exe
928	k2460310.exe

Loads dropped DLL 6 IoCs

pid	Process
1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
848	y2489530.exe
848	y2489530.exe
1840	y5049967.exe
1840	y5049967.exe
928	k2460310.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2489530.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5049967.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5049967.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2489530.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 1320 wrote to memory of 848	1320	42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe	28
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 848 wrote to memory of 1840	848	y2489530.exe	29
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30
PID 1840 wrote to memory of 928	1840	y5049967.exe	30

C:\Users\Admin\AppData\Local\Temp\42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe
"C:\Users\Admin\AppData\Local\Temp\42dd5d2085e3acab633e31f0a6353f8af2cc22d896a79940d415b4809b9b87b6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2489530.exe

Filesize
599KB

MD5
638ee350c3843dbd462e0a6054c96d9b

SHA1
35932139bf5c907986226e946e54333bb8598353

SHA256
c0bad89c9dc8a34af84235e2b5915ad2a2088a98a566d1d74d2fccd9d5b0a35f

SHA512
8829b0a3f422fc6c65fd38819ca3d39e3f1b14222fd954670bc6a0565f5160ee46a6e69d62f5f3ec807742ef9778cfd686a0b9fff548d9a96562fe20a716ac68

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5049967.exe

Filesize
395KB

MD5
c6b111893551215495bd6da934612fbb

SHA1
5cb8ad0fab07b75961359268292ee9f58ff3e563

SHA256
2b5fc247c4b0d6dc01245d6ac51e765f234cb3f0af54eb4bb5d5011a81154986

SHA512
e41a867ecb3b84c6b2dcc8c072ed9be6e9954a18c2cc1aa92cd41692767325644565f7ee5b8ed8bfb307aae691a97f66099cda804c2b99091a7d04298ec4f012

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2460310.exe

Filesize
136KB

MD5
709dee1d89ebc755e200d90726736e26

SHA1
f91ee62f5fefb53f086b2f243761130b902593aa

SHA256
909862eed1f1b927165a16dd48ef0df23a27890d0a5ae5f06f866c5867d1eaaa

SHA512
674a41587896dd034e15c2c9b1789ce635bf4f6fe8cbf3bd1646e2e210c8139d45a8e82e4e365a3d3b8f1d5c2b7e39c7b372213b29c6b98ba8938fc11600aea4

Download Submit
memory/928-84-0x0000000000070000-0x0000000000098000-memory.dmp

Filesize
160KB

Download
memory/928-85-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download
memory/928-86-0x00000000024D0000-0x0000000002510000-memory.dmp

Filesize
256KB

Download