0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507

Analysis

max time kernel
336s
max time network
407s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe
Size

1.7MB
MD5

c44937f9a9a1dd00e1a9e71315cb668d
SHA1

64c27b452325c47d95078b26ff18cc6c0a23541a
SHA256

0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507
SHA512

c41ec1da4f84cccd1454658efd2d31503d53baf9f90abfadb49b484ba840c2396f600120a1e36c746735c1dcf06235bae368978a4db1ed5f34f33a0459dcfcbf
SSDEEP

49152:a4gu4265mdWpCE9uktqnYGNanFYLd0bBsAORlwCg4:wrV5mdcCEZtqnYGNanYebGNRl7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
460	gm368537.exe
3148	Xp897310.exe
3392	ve816609.exe
1824	Li371741.exe
3904	a12531918.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ve816609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Li371741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gm368537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ve816609.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	gm368537.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Xp897310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xp897310.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Li371741.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	a12531918.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 460	2872	0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe	83
PID 2872 wrote to memory of 460	2872	0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe	83
PID 2872 wrote to memory of 460	2872	0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe	83
PID 460 wrote to memory of 3148	460	gm368537.exe	84
PID 460 wrote to memory of 3148	460	gm368537.exe	84
PID 460 wrote to memory of 3148	460	gm368537.exe	84
PID 3148 wrote to memory of 3392	3148	Xp897310.exe	85
PID 3148 wrote to memory of 3392	3148	Xp897310.exe	85
PID 3148 wrote to memory of 3392	3148	Xp897310.exe	85
PID 3392 wrote to memory of 1824	3392	ve816609.exe	86
PID 3392 wrote to memory of 1824	3392	ve816609.exe	86
PID 3392 wrote to memory of 1824	3392	ve816609.exe	86
PID 1824 wrote to memory of 3904	1824	Li371741.exe	89
PID 1824 wrote to memory of 3904	1824	Li371741.exe	89
PID 1824 wrote to memory of 3904	1824	Li371741.exe	89

C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe
"C:\Users\Admin\AppData\Local\Temp\0123685221e8f4bbe288ada7dd1d6c960a94af37ed7e4f55bcff7f81aa4a3507.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe

Filesize
1.4MB

MD5
eb6df914f792463c6b73e7ec469c8461

SHA1
8554dddffe66aded66bde4d63202d5a937926649

SHA256
b28f2c48fef70e5d6bee1842dbad2fd77844b42872d826afdbb6baadb940e775

SHA512
25d1eb53e6eded1066f7337f5a65c007e51b9c848598080fcac37ff4ba8c87e53f4ce85b877cc1ce2d74d32015ccf4cd4e096ac114c1af2db72cd9150a70811c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gm368537.exe

Filesize
1.4MB

MD5
eb6df914f792463c6b73e7ec469c8461

SHA1
8554dddffe66aded66bde4d63202d5a937926649

SHA256
b28f2c48fef70e5d6bee1842dbad2fd77844b42872d826afdbb6baadb940e775

SHA512
25d1eb53e6eded1066f7337f5a65c007e51b9c848598080fcac37ff4ba8c87e53f4ce85b877cc1ce2d74d32015ccf4cd4e096ac114c1af2db72cd9150a70811c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe

Filesize
1.3MB

MD5
6db8b139f21785fc3f74040cba7bd879

SHA1
6a974e0d9853a71866afc9b1287373f40866ca69

SHA256
d905004448cf627f2b3c811eda70ff8d81417e5eb32f878b693ca2b5ba2e58b7

SHA512
bb06f2260a9db0619e481c8090bddc580b35cb269237712bd1bd7b17bc956e4fd95f3a142779af0b01647a293898d751e03bb87430459f2ae6b4d13dbb4793c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xp897310.exe

Filesize
1.3MB

MD5
6db8b139f21785fc3f74040cba7bd879

SHA1
6a974e0d9853a71866afc9b1287373f40866ca69

SHA256
d905004448cf627f2b3c811eda70ff8d81417e5eb32f878b693ca2b5ba2e58b7

SHA512
bb06f2260a9db0619e481c8090bddc580b35cb269237712bd1bd7b17bc956e4fd95f3a142779af0b01647a293898d751e03bb87430459f2ae6b4d13dbb4793c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe

Filesize
852KB

MD5
a88d050386d14b4aebcd28a0159374e0

SHA1
bdc0fd47c6ad75fec3f55fd9e81cd1150fa32cb0

SHA256
8ef042ba464dbfa6b7724e827f97abb4d62fdb196078e34d93dd1734ab23c721

SHA512
888e6282ac5b56bf82189dcad2b37dd05a08afe0a899719036e43058286a5ddb3b59a204fabc04f1e04c58c9a86b5f921e729a11bdb1fa9aa7b1cbdedbfe7301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ve816609.exe

Filesize
852KB

MD5
a88d050386d14b4aebcd28a0159374e0

SHA1
bdc0fd47c6ad75fec3f55fd9e81cd1150fa32cb0

SHA256
8ef042ba464dbfa6b7724e827f97abb4d62fdb196078e34d93dd1734ab23c721

SHA512
888e6282ac5b56bf82189dcad2b37dd05a08afe0a899719036e43058286a5ddb3b59a204fabc04f1e04c58c9a86b5f921e729a11bdb1fa9aa7b1cbdedbfe7301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe

Filesize
680KB

MD5
c3b227a8d59e216b36e3443a68c0f336

SHA1
d6e389fc00512afc25533dd3dc70334c6b050b96

SHA256
913eb8efad291d713bd7fb562a710d7776abb71828ee548e1207bd9c1ab64569

SHA512
d90428e0ed75f8dbda1e8b2243faad87fa6263c7a6084785c10633eb1a48c767f658fb699b7bf10e0f663e7038fb1271181cc89d7b17b0beceaa6151db05fc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Li371741.exe

Filesize
680KB

MD5
c3b227a8d59e216b36e3443a68c0f336

SHA1
d6e389fc00512afc25533dd3dc70334c6b050b96

SHA256
913eb8efad291d713bd7fb562a710d7776abb71828ee548e1207bd9c1ab64569

SHA512
d90428e0ed75f8dbda1e8b2243faad87fa6263c7a6084785c10633eb1a48c767f658fb699b7bf10e0f663e7038fb1271181cc89d7b17b0beceaa6151db05fc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe

Filesize
301KB

MD5
8c76a0aecbb36bcb24bf81b55041804e

SHA1
52a1ce0625fd48703e66e68db221b4b5f090e513

SHA256
6346e4731b34c24444b2c7f37e7f0d9f915eb8e899ea2a1a476b567c08a2c5a4

SHA512
1ed04a9a6b2d61149092bac8810cc1736ebb9684c9a40ba1eb6413bfb8b3d3d3e51b476ee856f5cb620bd7e4e49199e76bf1a953d97425a4576489b6013f14fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a12531918.exe

Filesize
301KB

MD5
8c76a0aecbb36bcb24bf81b55041804e

SHA1
52a1ce0625fd48703e66e68db221b4b5f090e513

SHA256
6346e4731b34c24444b2c7f37e7f0d9f915eb8e899ea2a1a476b567c08a2c5a4

SHA512
1ed04a9a6b2d61149092bac8810cc1736ebb9684c9a40ba1eb6413bfb8b3d3d3e51b476ee856f5cb620bd7e4e49199e76bf1a953d97425a4576489b6013f14fc

Download Submit
memory/3904-168-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/3904-169-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3904-170-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3904-171-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3904-172-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3904-173-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/3904-174-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download