25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b

Analysis

max time kernel
256s
max time network
329s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
Size

850KB
MD5

dd610090fcca1ab9dca44e75fa6ec956
SHA1

09db66afa9c17bfb0987cd68b92a11935a84391b
SHA256

25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b
SHA512

d365ed9fbab8368e517d9bb64176c7f8a87fef7409c4c2920da60a170ad5b6fa7d3b497756440b47d85e5d3c6dbbe5b458ca29cbeec7859b3baef5a373267986
SSDEEP

12288:Ky90oUEXsNWbXV+ikWmP0SvAVq/U4aj4E7KvCcFuqo2ZNVoCoFOtwx3+m2Ti1Vb:KyYUsYRdkWNSoVevClyZT3Fwx12TiPb

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2968	y47429866.exe
2540	p20982233.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y47429866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y47429866.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2968	2880	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	82
PID 2880 wrote to memory of 2968	2880	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	82
PID 2880 wrote to memory of 2968	2880	25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe	82
PID 2968 wrote to memory of 2540	2968	y47429866.exe	83
PID 2968 wrote to memory of 2540	2968	y47429866.exe	83
PID 2968 wrote to memory of 2540	2968	y47429866.exe	83

C:\Users\Admin\AppData\Local\Temp\25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe
"C:\Users\Admin\AppData\Local\Temp\25fca770a6d07568fdb80562f268396fe56e5eee31642465a7cccc8fc1327e6b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe
    3⤵
    - Executes dropped EXE
    PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y47429866.exe

Filesize
570KB

MD5
1e1bf584822663a6ec66e111117c01eb

SHA1
7ddb0c6cea0e94d49bf8013c15c839e8d4a960d2

SHA256
9d999b489e3556acb62eb7396bf7dfab9dd236296e29b4c61853a4c6f943f6b2

SHA512
ed71772b77fd35dfd40ca57e851c2bca3c69eebad4798974179894e6c3e7fbf65b459db045f166e5bccf118c4d22360be3543dae57146e0d225e50a3dc302856

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p20982233.exe

Filesize
476KB

MD5
d4ca458396eb95cfe35a1f4a5dce6bb3

SHA1
9dce46f0a6435c41228a76d1f340d364c7ae1bb2

SHA256
da4823f8d636e220fbf08a8ab4f9fd553848bead7b2cbe8a1fca449e8a223845

SHA512
a1d8cf1557f9abab61d86cec1343768f93ab98b9dee4ef73f2bf84b0d5761a6c522d55245c3665322074f8a173098f1eea579eaa2646f321a4004e72bc22fff6

Download Submit
memory/2540-148-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/2540-149-0x0000000000830000-0x000000000088B000-memory.dmp

Filesize
364KB

Download