534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe
Size

1.1MB
MD5

c3683432e5ebf6788e846f8894205ad5
SHA1

6a2f646b71e2c05af57ae90ce2b5bf30cc01596b
SHA256

534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd
SHA512

b68ad2d0c30b68613b92bd671b3de33ace8cbab9b26ca11a2d1728490155c4cbe719113e82e9dc25bccb91d5208d0c406ad4357bebbf7a8fb8d47bd6c839dd9a
SSDEEP

24576:kyX56C+GJBbc0O6ImQtZfphHQk3wH2YRFB4n84gDf:zMp0/I5tZffwrBFB4nfg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1688	y5348503.exe
2032	y8445337.exe
472	k4331926.exe

Loads dropped DLL 6 IoCs

pid	Process
1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe
1688	y5348503.exe
1688	y5348503.exe
2032	y8445337.exe
2032	y8445337.exe
472	k4331926.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5348503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5348503.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8445337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8445337.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1424 wrote to memory of 1688	1424	534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe	28
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 1688 wrote to memory of 2032	1688	y5348503.exe	29
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30
PID 2032 wrote to memory of 472	2032	y8445337.exe	30

C:\Users\Admin\AppData\Local\Temp\534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe
"C:\Users\Admin\AppData\Local\Temp\534856d602e27b0e17a9f7debba2f554428cad4143cf10125a987864025378fd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe

Filesize
599KB

MD5
d34b456a42b824df46078c57a5fdeef1

SHA1
e92c5cbb1a0defbce85665b550fd093e20f9085b

SHA256
618205b90db877b4c95321f20d25deb23fe5c0833a9eb583ac4827aecb6ce8fe

SHA512
71fba2966fb226d2236338ef10a11247346106146aafb248b660fe5c718b060aa8aaf3583c0d8f0e001b7d203ca327e0d2917b4877905e05c55c8b669e309e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe

Filesize
599KB

MD5
d34b456a42b824df46078c57a5fdeef1

SHA1
e92c5cbb1a0defbce85665b550fd093e20f9085b

SHA256
618205b90db877b4c95321f20d25deb23fe5c0833a9eb583ac4827aecb6ce8fe

SHA512
71fba2966fb226d2236338ef10a11247346106146aafb248b660fe5c718b060aa8aaf3583c0d8f0e001b7d203ca327e0d2917b4877905e05c55c8b669e309e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe

Filesize
395KB

MD5
8faed65e7a9ecbc49022b66339a7c1f6

SHA1
a92dd588768f68c9dbe9599c888f69b0c9dcffce

SHA256
8a0adf07fa04652b3ad3f5cbf9b37939218fb8427c611e304fd2b1bf5f8c3389

SHA512
be17c1771d596eb6dcab28e4c3ea2678aa9e52b24bbdc6f56b12610487877e0c7b849823ef34e93fd4a9153116c140c7cc065ab37adcef95ba44ae18d8f3a5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe

Filesize
395KB

MD5
8faed65e7a9ecbc49022b66339a7c1f6

SHA1
a92dd588768f68c9dbe9599c888f69b0c9dcffce

SHA256
8a0adf07fa04652b3ad3f5cbf9b37939218fb8427c611e304fd2b1bf5f8c3389

SHA512
be17c1771d596eb6dcab28e4c3ea2678aa9e52b24bbdc6f56b12610487877e0c7b849823ef34e93fd4a9153116c140c7cc065ab37adcef95ba44ae18d8f3a5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe

Filesize
136KB

MD5
cbd7c4a03db7e2414157ba0cfd2c547a

SHA1
6a31db92c8545ff4e94a48dcb21ba86f6bb29dae

SHA256
5d19c9485b92e739fd03b655ef3a30a2b6a39b3bd3b4f1809df0072a2403c0ca

SHA512
6d4e04d7445f074b16693a89b864644a1463fca778c3705c28be4f0cd155a6cb2e3e79cb22cd8615e7f052f9df6f90af9e6800e1545ebe6c7736fdd52b9448e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe

Filesize
136KB

MD5
cbd7c4a03db7e2414157ba0cfd2c547a

SHA1
6a31db92c8545ff4e94a48dcb21ba86f6bb29dae

SHA256
5d19c9485b92e739fd03b655ef3a30a2b6a39b3bd3b4f1809df0072a2403c0ca

SHA512
6d4e04d7445f074b16693a89b864644a1463fca778c3705c28be4f0cd155a6cb2e3e79cb22cd8615e7f052f9df6f90af9e6800e1545ebe6c7736fdd52b9448e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe

Filesize
599KB

MD5
d34b456a42b824df46078c57a5fdeef1

SHA1
e92c5cbb1a0defbce85665b550fd093e20f9085b

SHA256
618205b90db877b4c95321f20d25deb23fe5c0833a9eb583ac4827aecb6ce8fe

SHA512
71fba2966fb226d2236338ef10a11247346106146aafb248b660fe5c718b060aa8aaf3583c0d8f0e001b7d203ca327e0d2917b4877905e05c55c8b669e309e4c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5348503.exe

Filesize
599KB

MD5
d34b456a42b824df46078c57a5fdeef1

SHA1
e92c5cbb1a0defbce85665b550fd093e20f9085b

SHA256
618205b90db877b4c95321f20d25deb23fe5c0833a9eb583ac4827aecb6ce8fe

SHA512
71fba2966fb226d2236338ef10a11247346106146aafb248b660fe5c718b060aa8aaf3583c0d8f0e001b7d203ca327e0d2917b4877905e05c55c8b669e309e4c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe

Filesize
395KB

MD5
8faed65e7a9ecbc49022b66339a7c1f6

SHA1
a92dd588768f68c9dbe9599c888f69b0c9dcffce

SHA256
8a0adf07fa04652b3ad3f5cbf9b37939218fb8427c611e304fd2b1bf5f8c3389

SHA512
be17c1771d596eb6dcab28e4c3ea2678aa9e52b24bbdc6f56b12610487877e0c7b849823ef34e93fd4a9153116c140c7cc065ab37adcef95ba44ae18d8f3a5d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8445337.exe

Filesize
395KB

MD5
8faed65e7a9ecbc49022b66339a7c1f6

SHA1
a92dd588768f68c9dbe9599c888f69b0c9dcffce

SHA256
8a0adf07fa04652b3ad3f5cbf9b37939218fb8427c611e304fd2b1bf5f8c3389

SHA512
be17c1771d596eb6dcab28e4c3ea2678aa9e52b24bbdc6f56b12610487877e0c7b849823ef34e93fd4a9153116c140c7cc065ab37adcef95ba44ae18d8f3a5d6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe

Filesize
136KB

MD5
cbd7c4a03db7e2414157ba0cfd2c547a

SHA1
6a31db92c8545ff4e94a48dcb21ba86f6bb29dae

SHA256
5d19c9485b92e739fd03b655ef3a30a2b6a39b3bd3b4f1809df0072a2403c0ca

SHA512
6d4e04d7445f074b16693a89b864644a1463fca778c3705c28be4f0cd155a6cb2e3e79cb22cd8615e7f052f9df6f90af9e6800e1545ebe6c7736fdd52b9448e0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4331926.exe

Filesize
136KB

MD5
cbd7c4a03db7e2414157ba0cfd2c547a

SHA1
6a31db92c8545ff4e94a48dcb21ba86f6bb29dae

SHA256
5d19c9485b92e739fd03b655ef3a30a2b6a39b3bd3b4f1809df0072a2403c0ca

SHA512
6d4e04d7445f074b16693a89b864644a1463fca778c3705c28be4f0cd155a6cb2e3e79cb22cd8615e7f052f9df6f90af9e6800e1545ebe6c7736fdd52b9448e0

Download Submit
memory/472-84-0x0000000000EC0000-0x0000000000EE8000-memory.dmp

Filesize
160KB

Download
memory/472-85-0x0000000007030000-0x0000000007070000-memory.dmp

Filesize
256KB

Download
memory/472-86-0x0000000007030000-0x0000000007070000-memory.dmp

Filesize
256KB

Download