2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9

Analysis

max time kernel
188s
max time network
205s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
Size

1.2MB
MD5

803632952dd0cb64851af3ffcd92d4df
SHA1

634d6f2ad92fd43f6ec626ef5f20dc30d6eae1b3
SHA256

2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9
SHA512

4976369e4a482ebbb2bf0ca90697f79df71a2f0b94eeb9e47dd4a823a694a16f6894a21e33bc53a7ecd62e1054528fc18f5fec189311e11cff8c6c5a92d82603
SSDEEP

24576:pyqD4zs/8P4pChsEBB/7oOspZddYa9B5Rm3FjN9iQHzIr:cqDYs/8Pygb/7ypZn9B5RQNrHk

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2008	x7245046.exe
1416	x9189549.exe
1192	g8193171.exe

Loads dropped DLL 6 IoCs

pid	Process
1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
2008	x7245046.exe
2008	x7245046.exe
1416	x9189549.exe
1416	x9189549.exe
1192	g8193171.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7245046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7245046.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x9189549.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9189549.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 1180 wrote to memory of 2008	1180	2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe	28
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 2008 wrote to memory of 1416	2008	x7245046.exe	29
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30
PID 1416 wrote to memory of 1192	1416	x9189549.exe	30

C:\Users\Admin\AppData\Local\Temp\2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe
"C:\Users\Admin\AppData\Local\Temp\2246bae0cc647efcee94e084344f5b969b7e920d3b90787263023032d42ebaa9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7245046.exe

Filesize
914KB

MD5
d29fb5d8dbc08b1e63a6ef5ccf018b5b

SHA1
f53c29a28fb8738f2ec81e87ec28e3c1e22e56cf

SHA256
fd15108238897b1ecc3c0aa53dc0377288f3b38d4a18db006f2b190d84ea8438

SHA512
284b1233a40e0072ed398c1f9fb116d3e994aa5ad47c44afcb5646e03e7354d5a9596910521b182a2f09bcbe90e559f9d00f3757b4454244579596e24c5e45eb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9189549.exe

Filesize
416KB

MD5
b3ef01c2e281fa6bfe2d85c48448f629

SHA1
e5e87554229eb4b1148bc2ad50697640531d8a25

SHA256
76985092eca6335a32c2a7029233885259d59a672f117d5b4920dae25786e54f

SHA512
b4c1214ff2674e266df869c02d5540ab1014c2ac03d82c4812ba8b002f39feea35ed35f857423e8f4be65a0e68842430c94b1f1e2973ccc50730cfe9495c2540

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8193171.exe

Filesize
136KB

MD5
ac79af1d38d97d9cb165b104ec1e5cbe

SHA1
c4b57a4b77f7d0551ea758a8284b1327ec05a39b

SHA256
7027de7c8c67a0a1d88fd0241eaa1d2d5bafea7e2c9c968093ce750e564e5894

SHA512
cba01f902ea79acef1f9a8c26be54ea6f0cd2eaf1f558104160df18c3504bf99f37eb3606d7f2397646e18b2a7f592a0a015a5c06d64c93de644dfbf632b844f

Download Submit
memory/1192-84-0x00000000002E0000-0x0000000000308000-memory.dmp

Filesize
160KB

Download
memory/1192-85-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/1192-86-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download