18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af

Analysis

max time kernel
142s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-05-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Size

890KB
MD5

d1156d92b2b741dd88dac7b3a3304800
SHA1

83f7239229b78ccf6f3033668ab7c135f1f93a26
SHA256

18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af
SHA512

82fc39c6af299c2aefe087566a6ed12ff2f201ddac85a3203fe4b3a9d0aca9b6c9dedc52facf72bc8253375e85e1e7053566ba9c821fe898f817d1a846134a65
SSDEEP

12288:hy90x9fP1CMpUOrsDF5+56cFUrFrktjUdRzVKdkIJwIh3S0zKFBo9/g3SfsKu2f1:hycX0ZO8+uwwdL1ICI8SvoCxu2TeaoS

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1936	y28900514.exe
1764	p11505084.exe

Loads dropped DLL 5 IoCs

pid	Process
2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
1936	y28900514.exe
1936	y28900514.exe
1936	y28900514.exe
1764	p11505084.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y28900514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y28900514.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	p11505084.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 2036 wrote to memory of 1936	2036	18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe	28
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29
PID 1936 wrote to memory of 1764	1936	y28900514.exe	29

C:\Users\Admin\AppData\Local\Temp\18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe
"C:\Users\Admin\AppData\Local\Temp\18cfb5cb802fe6b49808a7a95892e509f908d7440d20f1a6eaaaa1c4259657af.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y28900514.exe

Filesize
589KB

MD5
ff364d53df504632dbc1701429e154b2

SHA1
f8df1498bcb70ab19755162d2e0d30cfc023500d

SHA256
e8a7312544eb5fa0b3bf22300a67d3fc0ddf322c0739778a1a40f37488419311

SHA512
64b1545ba3bd80821a4c2315cbb3172ae0c0d2bad79c705619692b6a30701d3b2511fd938ead0184f8998444458519a28d91204e03a17f994e55a71ebb38e77a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p11505084.exe

Filesize
530KB

MD5
2278cb7db32184ebde6b36e5d87236a7

SHA1
fd9b12d385e24e443ac2f029e689f01aa6ffa005

SHA256
698d98c66f544b06f815cb7b24db3241afad40cb2d3d0c9460d5ac0e5567f035

SHA512
873268d7debd2eac7b8edc7900bdc3cbf01cc9e6c4a68d336e2e04302579fb91c14b97ca42263118973ccca881cbb3e67a82fb97bd762c01933cc538b5b80c7c

Download Submit
memory/1764-102-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-114-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-80-0x0000000002980000-0x00000000029E6000-memory.dmp

Filesize
408KB

Download
memory/1764-81-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1764-82-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1764-83-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-84-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-86-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-88-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-90-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-92-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-96-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-94-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-98-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-78-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/1764-100-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-104-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-106-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-108-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-79-0x0000000002910000-0x0000000002978000-memory.dmp

Filesize
416KB

Download
memory/1764-112-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-110-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-118-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-120-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-116-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-124-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-122-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-128-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-126-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-132-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-130-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-134-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-136-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-140-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-138-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-146-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-144-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-142-0x0000000002980000-0x00000000029E0000-memory.dmp

Filesize
384KB

Download
memory/1764-149-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1764-150-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download