1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe
Size

1.3MB
MD5

8391de5248011eeec23ca174c53847bc
SHA1

1dfeb81b8d8876e6f06454c6a108a6fbdbfd40bc
SHA256

1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16
SHA512

decb5d258fdf4fdc994447f015f104c5586a624b04e751bbc1b7783498860a6549852ffd2a9fdee83ebed3722a3f785f45fc85637ba0fa1d78a11fd8acaead4d
SSDEEP

24576:zyhd2k11VVQkXm576EXj1tX5NLTEzkZllsYWdNKtjvZXG23z8u:GhZSRXhtJNszs+xKVBp

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za654556.exeza047236.exeza422899.exe84279086.exe

pid process

948 za654556.exe
1008 za047236.exe
576 za422899.exe
856 84279086.exe

pid	process
948	za654556.exe
1008	za047236.exe
576	za422899.exe
856	84279086.exe

Loads dropped DLL 8 IoCs

Processes:

1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exeza654556.exeza047236.exeza422899.exe84279086.exe

pid	process
1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe
948	za654556.exe
948	za654556.exe
1008	za047236.exe
1008	za047236.exe
576	za422899.exe
576	za422899.exe
856	84279086.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za654556.exeza047236.exeza422899.exe1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za654556.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za047236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za047236.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za422899.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za422899.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za654556.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84279086.exe

description pid process

Token: SeDebugPrivilege 856 84279086.exe

description	pid	process
Token: SeDebugPrivilege	856	84279086.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exeza654556.exeza047236.exeza422899.exe

description	pid	process	target process
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 1320 wrote to memory of 948	1320	1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe	za654556.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 948 wrote to memory of 1008	948	za654556.exe	za047236.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 1008 wrote to memory of 576	1008	za047236.exe	za422899.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe
PID 576 wrote to memory of 856	576	za422899.exe	84279086.exe

C:\Users\Admin\AppData\Local\Temp\1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe
"C:\Users\Admin\AppData\Local\Temp\1414c53389c559514960f1e67a5f3ea3c06fd38ffdcbc20807ea021b73cb4b16.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe

Filesize
1.2MB

MD5
c4b862f1448fee364510b6a774ea5660

SHA1
d96b71ced50a3d9537af99e53dcf93b71fd7bdb9

SHA256
c6a95e14b80efb4ac2ecce8fa9897fcf28788774a69e6db4c5bc18dcad1daed9

SHA512
1c21f2dc047825f2c1b4fc0c3f6fe149284910901d53e8cd9817f34f9e4546a8f9e2ceabda3adcd6d0d52f767ecefab297f078664e9d6c35733c1b47b9f525ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe

Filesize
1.2MB

MD5
c4b862f1448fee364510b6a774ea5660

SHA1
d96b71ced50a3d9537af99e53dcf93b71fd7bdb9

SHA256
c6a95e14b80efb4ac2ecce8fa9897fcf28788774a69e6db4c5bc18dcad1daed9

SHA512
1c21f2dc047825f2c1b4fc0c3f6fe149284910901d53e8cd9817f34f9e4546a8f9e2ceabda3adcd6d0d52f767ecefab297f078664e9d6c35733c1b47b9f525ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe

Filesize
737KB

MD5
0ea90c4d0f2e0e0e5b10de914eab7f3f

SHA1
08afba6197046f7d834a23f8687cd822d07b07d1

SHA256
52bbbf9c661dcac44c6c6b39a23049ea4a924000d95e7a9b873ee29c0386d5c0

SHA512
2479391951d3b79f78f07ec2d9faad222c803ef7a4921b692a819488dd0a9eb7603367d0ee0587ce1efbb030275249586bb44f9b24c4064da924cce33928f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe

Filesize
737KB

MD5
0ea90c4d0f2e0e0e5b10de914eab7f3f

SHA1
08afba6197046f7d834a23f8687cd822d07b07d1

SHA256
52bbbf9c661dcac44c6c6b39a23049ea4a924000d95e7a9b873ee29c0386d5c0

SHA512
2479391951d3b79f78f07ec2d9faad222c803ef7a4921b692a819488dd0a9eb7603367d0ee0587ce1efbb030275249586bb44f9b24c4064da924cce33928f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe

Filesize
554KB

MD5
ce9db3f773b4d7fd445d73d4d7daa360

SHA1
1c1c1fbc49e79c1c767e371b061852833fbda907

SHA256
8fd4fc1d9a16cbdfd57c3e352925ac30c2f4793f38ae27edfa662911e17f1d07

SHA512
b342941839d240ab91da993f9d80cb25d2f8c75ca06f0c68fa1263329aabef4a65a3cd1007624cc3c387d77cdd2e95f8624d53729686675f42b1c8c6a7d7c27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe

Filesize
554KB

MD5
ce9db3f773b4d7fd445d73d4d7daa360

SHA1
1c1c1fbc49e79c1c767e371b061852833fbda907

SHA256
8fd4fc1d9a16cbdfd57c3e352925ac30c2f4793f38ae27edfa662911e17f1d07

SHA512
b342941839d240ab91da993f9d80cb25d2f8c75ca06f0c68fa1263329aabef4a65a3cd1007624cc3c387d77cdd2e95f8624d53729686675f42b1c8c6a7d7c27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe

Filesize
303KB

MD5
b96416542f7a80e1fbb8f839a6eeda83

SHA1
37043abdd53a6d1544a294bace284adbe0c28b6f

SHA256
3c5648eec7694a894d47e733d494fa8d40c4d017cd1f61f21d343e9b4b365bfc

SHA512
50644fbbefad08a298ffa7d1eaa3748771a0160379cbaa159168b073970cf013f4f580d12d3e5c35ba7508959730e881b99a8a0c26672397cad546316d7442d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe

Filesize
303KB

MD5
b96416542f7a80e1fbb8f839a6eeda83

SHA1
37043abdd53a6d1544a294bace284adbe0c28b6f

SHA256
3c5648eec7694a894d47e733d494fa8d40c4d017cd1f61f21d343e9b4b365bfc

SHA512
50644fbbefad08a298ffa7d1eaa3748771a0160379cbaa159168b073970cf013f4f580d12d3e5c35ba7508959730e881b99a8a0c26672397cad546316d7442d5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe

Filesize
1.2MB

MD5
c4b862f1448fee364510b6a774ea5660

SHA1
d96b71ced50a3d9537af99e53dcf93b71fd7bdb9

SHA256
c6a95e14b80efb4ac2ecce8fa9897fcf28788774a69e6db4c5bc18dcad1daed9

SHA512
1c21f2dc047825f2c1b4fc0c3f6fe149284910901d53e8cd9817f34f9e4546a8f9e2ceabda3adcd6d0d52f767ecefab297f078664e9d6c35733c1b47b9f525ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za654556.exe

Filesize
1.2MB

MD5
c4b862f1448fee364510b6a774ea5660

SHA1
d96b71ced50a3d9537af99e53dcf93b71fd7bdb9

SHA256
c6a95e14b80efb4ac2ecce8fa9897fcf28788774a69e6db4c5bc18dcad1daed9

SHA512
1c21f2dc047825f2c1b4fc0c3f6fe149284910901d53e8cd9817f34f9e4546a8f9e2ceabda3adcd6d0d52f767ecefab297f078664e9d6c35733c1b47b9f525ac

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe

Filesize
737KB

MD5
0ea90c4d0f2e0e0e5b10de914eab7f3f

SHA1
08afba6197046f7d834a23f8687cd822d07b07d1

SHA256
52bbbf9c661dcac44c6c6b39a23049ea4a924000d95e7a9b873ee29c0386d5c0

SHA512
2479391951d3b79f78f07ec2d9faad222c803ef7a4921b692a819488dd0a9eb7603367d0ee0587ce1efbb030275249586bb44f9b24c4064da924cce33928f4cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za047236.exe

Filesize
737KB

MD5
0ea90c4d0f2e0e0e5b10de914eab7f3f

SHA1
08afba6197046f7d834a23f8687cd822d07b07d1

SHA256
52bbbf9c661dcac44c6c6b39a23049ea4a924000d95e7a9b873ee29c0386d5c0

SHA512
2479391951d3b79f78f07ec2d9faad222c803ef7a4921b692a819488dd0a9eb7603367d0ee0587ce1efbb030275249586bb44f9b24c4064da924cce33928f4cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe

Filesize
554KB

MD5
ce9db3f773b4d7fd445d73d4d7daa360

SHA1
1c1c1fbc49e79c1c767e371b061852833fbda907

SHA256
8fd4fc1d9a16cbdfd57c3e352925ac30c2f4793f38ae27edfa662911e17f1d07

SHA512
b342941839d240ab91da993f9d80cb25d2f8c75ca06f0c68fa1263329aabef4a65a3cd1007624cc3c387d77cdd2e95f8624d53729686675f42b1c8c6a7d7c27f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za422899.exe

Filesize
554KB

MD5
ce9db3f773b4d7fd445d73d4d7daa360

SHA1
1c1c1fbc49e79c1c767e371b061852833fbda907

SHA256
8fd4fc1d9a16cbdfd57c3e352925ac30c2f4793f38ae27edfa662911e17f1d07

SHA512
b342941839d240ab91da993f9d80cb25d2f8c75ca06f0c68fa1263329aabef4a65a3cd1007624cc3c387d77cdd2e95f8624d53729686675f42b1c8c6a7d7c27f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe

Filesize
303KB

MD5
b96416542f7a80e1fbb8f839a6eeda83

SHA1
37043abdd53a6d1544a294bace284adbe0c28b6f

SHA256
3c5648eec7694a894d47e733d494fa8d40c4d017cd1f61f21d343e9b4b365bfc

SHA512
50644fbbefad08a298ffa7d1eaa3748771a0160379cbaa159168b073970cf013f4f580d12d3e5c35ba7508959730e881b99a8a0c26672397cad546316d7442d5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\84279086.exe

Filesize
303KB

MD5
b96416542f7a80e1fbb8f839a6eeda83

SHA1
37043abdd53a6d1544a294bace284adbe0c28b6f

SHA256
3c5648eec7694a894d47e733d494fa8d40c4d017cd1f61f21d343e9b4b365bfc

SHA512
50644fbbefad08a298ffa7d1eaa3748771a0160379cbaa159168b073970cf013f4f580d12d3e5c35ba7508959730e881b99a8a0c26672397cad546316d7442d5

Download Submit
memory/856-109-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-121-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-96-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/856-97-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/856-98-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-99-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-103-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-101-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-105-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-107-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-94-0x0000000000B90000-0x0000000000BE8000-memory.dmp

Filesize
352KB

Download
memory/856-113-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-111-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-117-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-115-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-119-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-123-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-125-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-127-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-95-0x0000000002140000-0x0000000002196000-memory.dmp

Filesize
344KB

Download
memory/856-131-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-129-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-135-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-137-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-141-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-143-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-145-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-139-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-147-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-133-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-149-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-153-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-161-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-159-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-157-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-155-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download
memory/856-151-0x0000000002140000-0x0000000002191000-memory.dmp

Filesize
324KB

Download