0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2

Analysis

max time kernel
130s
max time network
178s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe
Size

1.1MB
MD5

2a095ac7fa4c2e6c088418f68b035dc7
SHA1

8dc564ff7b570972a72a68d9fe5ece4ce855aff4
SHA256

0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2
SHA512

fe645f8a1a4f63b42ca22807d67acb7914d908552d3b0f2e1b02d2c868c020bc1343aa0832f0ae1f13e2044fde799518c5675f177e95230f15884185053bdf47
SSDEEP

24576:WyLMtotLrbs+Pdo5WfAb6vhNqCa/pCZaCD5PbKjWDod:luoBrb1d/fAWJoxpkaC9KjWc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1780	y9810979.exe
768	y7985417.exe
588	k6581361.exe

Loads dropped DLL 6 IoCs

pid	Process
1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe
1780	y9810979.exe
1780	y9810979.exe
768	y7985417.exe
768	y7985417.exe
588	k6581361.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9810979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9810979.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7985417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y7985417.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1160 wrote to memory of 1780	1160	0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe	28
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 1780 wrote to memory of 768	1780	y9810979.exe	29
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30
PID 768 wrote to memory of 588	768	y7985417.exe	30

C:\Users\Admin\AppData\Local\Temp\0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe
"C:\Users\Admin\AppData\Local\Temp\0678b35fd92acedb4d9d2df34c500851b6a49d57d5601b672d489db90632c7f2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe

Filesize
603KB

MD5
4c7a403bb04cc59573b4defca6e4a35e

SHA1
0a9f4392fed81a826776f5ccca6d20106d79524a

SHA256
d901617494e1020d548aacb8a2014ebf0e27a7003f33adea4f6e8add5275ac8b

SHA512
0ab0b33dbb79aa3b5e1b6f7191345c5813322c72d0a2f820b9ef6733cd86ccf848f9811700cdb9d087d784583b9f9a4c3eaf1ba2def287075c054373ef55bb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe

Filesize
603KB

MD5
4c7a403bb04cc59573b4defca6e4a35e

SHA1
0a9f4392fed81a826776f5ccca6d20106d79524a

SHA256
d901617494e1020d548aacb8a2014ebf0e27a7003f33adea4f6e8add5275ac8b

SHA512
0ab0b33dbb79aa3b5e1b6f7191345c5813322c72d0a2f820b9ef6733cd86ccf848f9811700cdb9d087d784583b9f9a4c3eaf1ba2def287075c054373ef55bb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe

Filesize
307KB

MD5
dc9339f11fe8d0e73e5cc081891992c9

SHA1
4de6cbb0efa695ede50b834d02d208cad353106c

SHA256
ede9d75312b24790160a46fd6446fed67a66d2ea6b3aae3885eefdfe71de4df4

SHA512
6e227c65670a973dcfee43c11ce5ad57ea542ce4fc14d1bf35ef08f3f5b6e2f2a817af4d79b8896d1a6f9d6c85c85c22be756a15542f57ba20f05ba53a0ee837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe

Filesize
307KB

MD5
dc9339f11fe8d0e73e5cc081891992c9

SHA1
4de6cbb0efa695ede50b834d02d208cad353106c

SHA256
ede9d75312b24790160a46fd6446fed67a66d2ea6b3aae3885eefdfe71de4df4

SHA512
6e227c65670a973dcfee43c11ce5ad57ea542ce4fc14d1bf35ef08f3f5b6e2f2a817af4d79b8896d1a6f9d6c85c85c22be756a15542f57ba20f05ba53a0ee837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe

Filesize
136KB

MD5
55562ff8c858de623d6a77801a672815

SHA1
fd198f5cfd33ecccde1eee73b4ca470c00679e34

SHA256
49633ab955d31f8e2ab7eb8821393d4d2a20803dcbbc5681ba98904301c6a895

SHA512
d90738d0a8e90f4d913e74350f22e8fed61a123624b90c7cced4a0fa39e829389ef5f89bf42d31ba90a4d7a1a34953cf70f4afeb8823ae08e296686ba76dcd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe

Filesize
136KB

MD5
55562ff8c858de623d6a77801a672815

SHA1
fd198f5cfd33ecccde1eee73b4ca470c00679e34

SHA256
49633ab955d31f8e2ab7eb8821393d4d2a20803dcbbc5681ba98904301c6a895

SHA512
d90738d0a8e90f4d913e74350f22e8fed61a123624b90c7cced4a0fa39e829389ef5f89bf42d31ba90a4d7a1a34953cf70f4afeb8823ae08e296686ba76dcd0b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe

Filesize
603KB

MD5
4c7a403bb04cc59573b4defca6e4a35e

SHA1
0a9f4392fed81a826776f5ccca6d20106d79524a

SHA256
d901617494e1020d548aacb8a2014ebf0e27a7003f33adea4f6e8add5275ac8b

SHA512
0ab0b33dbb79aa3b5e1b6f7191345c5813322c72d0a2f820b9ef6733cd86ccf848f9811700cdb9d087d784583b9f9a4c3eaf1ba2def287075c054373ef55bb06

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9810979.exe

Filesize
603KB

MD5
4c7a403bb04cc59573b4defca6e4a35e

SHA1
0a9f4392fed81a826776f5ccca6d20106d79524a

SHA256
d901617494e1020d548aacb8a2014ebf0e27a7003f33adea4f6e8add5275ac8b

SHA512
0ab0b33dbb79aa3b5e1b6f7191345c5813322c72d0a2f820b9ef6733cd86ccf848f9811700cdb9d087d784583b9f9a4c3eaf1ba2def287075c054373ef55bb06

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe

Filesize
307KB

MD5
dc9339f11fe8d0e73e5cc081891992c9

SHA1
4de6cbb0efa695ede50b834d02d208cad353106c

SHA256
ede9d75312b24790160a46fd6446fed67a66d2ea6b3aae3885eefdfe71de4df4

SHA512
6e227c65670a973dcfee43c11ce5ad57ea542ce4fc14d1bf35ef08f3f5b6e2f2a817af4d79b8896d1a6f9d6c85c85c22be756a15542f57ba20f05ba53a0ee837

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y7985417.exe

Filesize
307KB

MD5
dc9339f11fe8d0e73e5cc081891992c9

SHA1
4de6cbb0efa695ede50b834d02d208cad353106c

SHA256
ede9d75312b24790160a46fd6446fed67a66d2ea6b3aae3885eefdfe71de4df4

SHA512
6e227c65670a973dcfee43c11ce5ad57ea542ce4fc14d1bf35ef08f3f5b6e2f2a817af4d79b8896d1a6f9d6c85c85c22be756a15542f57ba20f05ba53a0ee837

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe

Filesize
136KB

MD5
55562ff8c858de623d6a77801a672815

SHA1
fd198f5cfd33ecccde1eee73b4ca470c00679e34

SHA256
49633ab955d31f8e2ab7eb8821393d4d2a20803dcbbc5681ba98904301c6a895

SHA512
d90738d0a8e90f4d913e74350f22e8fed61a123624b90c7cced4a0fa39e829389ef5f89bf42d31ba90a4d7a1a34953cf70f4afeb8823ae08e296686ba76dcd0b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6581361.exe

Filesize
136KB

MD5
55562ff8c858de623d6a77801a672815

SHA1
fd198f5cfd33ecccde1eee73b4ca470c00679e34

SHA256
49633ab955d31f8e2ab7eb8821393d4d2a20803dcbbc5681ba98904301c6a895

SHA512
d90738d0a8e90f4d913e74350f22e8fed61a123624b90c7cced4a0fa39e829389ef5f89bf42d31ba90a4d7a1a34953cf70f4afeb8823ae08e296686ba76dcd0b

Download Submit
memory/588-84-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/588-85-0x0000000007240000-0x0000000007280000-memory.dmp

Filesize
256KB

Download
memory/588-86-0x0000000007240000-0x0000000007280000-memory.dmp

Filesize
256KB

Download