245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193

Analysis

max time kernel
362s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe
Size

1.5MB
MD5

fb823b9e6f7f5fd137c63ed6ff24b926
SHA1

acd87d814332ecf3a3cb3e2d10d381f9c7072ff0
SHA256

245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193
SHA512

0d2a479cfd29fadd105d9d6551d7e80459bc9535299cf11ad222f46fbe359837f6b129cc9ae503b28ab99b821d00612d0c631cb641805c15c9ff2073f800d92f
SSDEEP

24576:bybEPWVa2zEAl21EtYhD+U0r6dYku6lUcoymG6GEXm1qIZQ8h39Zh+:ObEOVVEK2OtYSuakuPGem19h39f

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za000900.exeza931165.exeza610672.exe35530032.exe

pid process

3668 za000900.exe
2368 za931165.exe
3448 za610672.exe
3412 35530032.exe

pid	process
3668	za000900.exe
2368	za931165.exe
3448	za610672.exe
3412	35530032.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za610672.exe245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exeza000900.exeza931165.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za610672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za610672.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za000900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za000900.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za931165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za931165.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35530032.exe

description pid process

Token: SeDebugPrivilege 3412 35530032.exe

description	pid	process
Token: SeDebugPrivilege	3412	35530032.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exeza000900.exeza931165.exeza610672.exe

description	pid	process	target process
PID 4296 wrote to memory of 3668	4296	245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe	za000900.exe
PID 4296 wrote to memory of 3668	4296	245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe	za000900.exe
PID 4296 wrote to memory of 3668	4296	245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe	za000900.exe
PID 3668 wrote to memory of 2368	3668	za000900.exe	za931165.exe
PID 3668 wrote to memory of 2368	3668	za000900.exe	za931165.exe
PID 3668 wrote to memory of 2368	3668	za000900.exe	za931165.exe
PID 2368 wrote to memory of 3448	2368	za931165.exe	za610672.exe
PID 2368 wrote to memory of 3448	2368	za931165.exe	za610672.exe
PID 2368 wrote to memory of 3448	2368	za931165.exe	za610672.exe
PID 3448 wrote to memory of 3412	3448	za610672.exe	35530032.exe
PID 3448 wrote to memory of 3412	3448	za610672.exe	35530032.exe
PID 3448 wrote to memory of 3412	3448	za610672.exe	35530032.exe

C:\Users\Admin\AppData\Local\Temp\245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe
"C:\Users\Admin\AppData\Local\Temp\245071fba976fac26a3ebfccd27e7c5dfc463f21aee71c8d80f695414855c193.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za000900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za000900.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za931165.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za931165.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za610672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za610672.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\35530032.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\35530032.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za000900.exe

Filesize
1.3MB

MD5
a4abfcd4002c88e9819e816564b630b9

SHA1
93dffa783494361c2a013f0b479afd5c5ef92136

SHA256
6d01b8ec998dbbb94ce5cee35d56b3c6c686bad7482c52b095934e2f2aaf8dc0

SHA512
6816a60728763239587e57980704479bc7b17f2e45e75df46096624c6e5caa35dbeabf2aeacb80318a7eb8caffa2120262440b7f7ba06aa9ee4f8c61333b9e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za000900.exe

Filesize
1.3MB

MD5
a4abfcd4002c88e9819e816564b630b9

SHA1
93dffa783494361c2a013f0b479afd5c5ef92136

SHA256
6d01b8ec998dbbb94ce5cee35d56b3c6c686bad7482c52b095934e2f2aaf8dc0

SHA512
6816a60728763239587e57980704479bc7b17f2e45e75df46096624c6e5caa35dbeabf2aeacb80318a7eb8caffa2120262440b7f7ba06aa9ee4f8c61333b9e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za931165.exe

Filesize
882KB

MD5
83261b2448acdaaedc82261f92b898d8

SHA1
02bfc77c21206bd8fcc218524c8927c790424a68

SHA256
e87deb7b4fe683cd2050c7901ca970cdac68d231101aab0d9ef295a9e938eba1

SHA512
e53667ca03e56ee633a3c22f68a0d72a1f85940ac68f938d747531b17e3a7965d1b466812fe9c7963dee4732c3bc71ea1bdf2230885b7ccb6196389e65b9de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za931165.exe

Filesize
882KB

MD5
83261b2448acdaaedc82261f92b898d8

SHA1
02bfc77c21206bd8fcc218524c8927c790424a68

SHA256
e87deb7b4fe683cd2050c7901ca970cdac68d231101aab0d9ef295a9e938eba1

SHA512
e53667ca03e56ee633a3c22f68a0d72a1f85940ac68f938d747531b17e3a7965d1b466812fe9c7963dee4732c3bc71ea1bdf2230885b7ccb6196389e65b9de91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za610672.exe

Filesize
699KB

MD5
58fa52051187c0972ef4b9eb98453828

SHA1
78d5d5678f15f4ba9d940b2b98c0027a62f5a7b8

SHA256
bb938296206de6caa901840a03bd1f9d8d2f0f6e563622d33856fb051b2adde9

SHA512
fc50533d526d4132898bb3ab9c93e8a8d8d36031a1406f0276165cabd9d05310f9523f3411c3eb19c2a3cba684c02c1a85be08c888844f75f16ae29e088cf770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za610672.exe

Filesize
699KB

MD5
58fa52051187c0972ef4b9eb98453828

SHA1
78d5d5678f15f4ba9d940b2b98c0027a62f5a7b8

SHA256
bb938296206de6caa901840a03bd1f9d8d2f0f6e563622d33856fb051b2adde9

SHA512
fc50533d526d4132898bb3ab9c93e8a8d8d36031a1406f0276165cabd9d05310f9523f3411c3eb19c2a3cba684c02c1a85be08c888844f75f16ae29e088cf770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\35530032.exe

Filesize
300KB

MD5
8c1d72986377afbd5ccbb5452019e5e8

SHA1
ff697bf2a44dfd4c2fbca7da5d1c751029a3efc1

SHA256
802904921f7a82fc05de0ee19132b594e5348b9538320268bacba9a0284d41f4

SHA512
e82005419d8b1608bdcae126fd6714272c0b144bd9d20b96323d850c95976fcb40646bcff1f8473f5adf2524254293499fc853362c941669b4b3137709622198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\35530032.exe

Filesize
300KB

MD5
8c1d72986377afbd5ccbb5452019e5e8

SHA1
ff697bf2a44dfd4c2fbca7da5d1c751029a3efc1

SHA256
802904921f7a82fc05de0ee19132b594e5348b9538320268bacba9a0284d41f4

SHA512
e82005419d8b1608bdcae126fd6714272c0b144bd9d20b96323d850c95976fcb40646bcff1f8473f5adf2524254293499fc853362c941669b4b3137709622198

Download Submit
memory/3412-188-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-198-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-163-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-165-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-166-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-167-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-169-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-170-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-174-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-176-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-178-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-180-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-182-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-184-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-186-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-161-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/3412-190-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-192-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-194-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-196-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-162-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-206-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-204-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-202-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-200-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-208-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-210-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-212-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-214-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-216-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-218-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-220-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-222-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-224-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-226-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-228-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/3412-2293-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-2294-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-2295-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3412-2296-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download