6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe
Size

1.5MB
MD5

e61f058eb8079d589848bafd02428a13
SHA1

c6559c3a32c1256ffcb2208f8a508795848d5d54
SHA256

6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b
SHA512

3e4d543d8ec1dd508785530e1b4d28143b888b2c90841325b442c381c8e1c02a3403c2d3f07944afaf45ec61e8be506fcbbe4656a8ed06f8e8096e8767f835c7
SSDEEP

24576:XyxOuLlo8a3q35Nq7avsX8XqixXvD+r+D5WZq5odo0X67hNpelCZOe1:ix9L28a3CN+aEXUvD+r+NVHbvOe

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

za471106.exeza854395.exeza642587.exe27295849.exe

pid process

1868 za471106.exe
1352 za854395.exe
1328 za642587.exe
1628 27295849.exe

pid	process
1868	za471106.exe
1352	za854395.exe
1328	za642587.exe
1628	27295849.exe

Loads dropped DLL 8 IoCs

Processes:

6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exeza471106.exeza854395.exeza642587.exe27295849.exe

pid	process
1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe
1868	za471106.exe
1868	za471106.exe
1352	za854395.exe
1352	za854395.exe
1328	za642587.exe
1328	za642587.exe
1628	27295849.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za642587.exe6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exeza471106.exeza854395.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za642587.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za471106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za471106.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za854395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za854395.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za642587.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

27295849.exe

description pid process

Token: SeDebugPrivilege 1628 27295849.exe

description	pid	process
Token: SeDebugPrivilege	1628	27295849.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exeza471106.exeza854395.exeza642587.exe

description	pid	process	target process
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1692 wrote to memory of 1868	1692	6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe	za471106.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1868 wrote to memory of 1352	1868	za471106.exe	za854395.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1352 wrote to memory of 1328	1352	za854395.exe	za642587.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe
PID 1328 wrote to memory of 1628	1328	za642587.exe	27295849.exe

C:\Users\Admin\AppData\Local\Temp\6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe
"C:\Users\Admin\AppData\Local\Temp\6765fba44174a974a4a3cc0347b6b265a34db9d48f5c4242a8a56cf321b8212b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
Filesize
1.3MB

MD5
73fb106fdfaeef68269de9d9d2d09275

SHA1
b8c6985dca20371d57be2577bc2a2a4c1884c14d

SHA256
1e2880383e822357afd2536aad1bf9f198df15e2efb996b872f5f0eb020b80e6

SHA512
aa8708b22a1260c394693a991fb9809b3ae16f2e498a43f5982fb99968efcdb57475ee2da781cab8b8f7eb59e97e0e0f21294d431d482dbbf4567a736361f4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
Filesize
1.3MB

MD5
73fb106fdfaeef68269de9d9d2d09275

SHA1
b8c6985dca20371d57be2577bc2a2a4c1884c14d

SHA256
1e2880383e822357afd2536aad1bf9f198df15e2efb996b872f5f0eb020b80e6

SHA512
aa8708b22a1260c394693a991fb9809b3ae16f2e498a43f5982fb99968efcdb57475ee2da781cab8b8f7eb59e97e0e0f21294d431d482dbbf4567a736361f4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
Filesize
862KB

MD5
2233f6dc0238f4b82c92b0478bad4ffa

SHA1
bba90569c4d7271037d96b61eb0cb59cb9bac83c

SHA256
17c992e3280a86dbeb419fdb447147135a1477687ff1319ffb955cfbbc601fc4

SHA512
8128f6fd2728997c20e46d5532a28ed4e4ccbd190ffc995ff5956ce140fdca714f20d9f31407bb794e9b92b66dca5dad69aaf5320f948ca6b64b8b278508dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
Filesize
862KB

MD5
2233f6dc0238f4b82c92b0478bad4ffa

SHA1
bba90569c4d7271037d96b61eb0cb59cb9bac83c

SHA256
17c992e3280a86dbeb419fdb447147135a1477687ff1319ffb955cfbbc601fc4

SHA512
8128f6fd2728997c20e46d5532a28ed4e4ccbd190ffc995ff5956ce140fdca714f20d9f31407bb794e9b92b66dca5dad69aaf5320f948ca6b64b8b278508dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
Filesize
680KB

MD5
a67554e8f69e0bc3ee28adbfd8c5125d

SHA1
b0723bcf78b1cf26b2dcc0c38cd3dac278f2d37b

SHA256
0c7991872337f8c2af705f6846514bb670d0b83d98dcde63d83ded36452aa209

SHA512
ae04b12e8850856292fdc5c000ab32180fc3c0e7bd1022ef9b2225bb509d7fd7789f0b581b79b5a57377c672f68aa06c6d83bed5119185d61bcb3df94d4ba818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
Filesize
680KB

MD5
a67554e8f69e0bc3ee28adbfd8c5125d

SHA1
b0723bcf78b1cf26b2dcc0c38cd3dac278f2d37b

SHA256
0c7991872337f8c2af705f6846514bb670d0b83d98dcde63d83ded36452aa209

SHA512
ae04b12e8850856292fdc5c000ab32180fc3c0e7bd1022ef9b2225bb509d7fd7789f0b581b79b5a57377c672f68aa06c6d83bed5119185d61bcb3df94d4ba818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
Filesize
302KB

MD5
9a24bbc66039fb71a94236514a745b75

SHA1
877502c5644011d6da6abcb90747f0161582e8f8

SHA256
825c22b3a4618a8246074d7c83e42e70c4300681bde6b8cfc49384f5d2b5e832

SHA512
ab0cf60db9585ea933a708b08984353c6227d88e3306b2f325684ee55f2c0913c8984a9b172ca17f08881127e8b3ae29156f4f699492e61333b8f7282766d785

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
Filesize
302KB

MD5
9a24bbc66039fb71a94236514a745b75

SHA1
877502c5644011d6da6abcb90747f0161582e8f8

SHA256
825c22b3a4618a8246074d7c83e42e70c4300681bde6b8cfc49384f5d2b5e832

SHA512
ab0cf60db9585ea933a708b08984353c6227d88e3306b2f325684ee55f2c0913c8984a9b172ca17f08881127e8b3ae29156f4f699492e61333b8f7282766d785

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
Filesize
1.3MB

MD5
73fb106fdfaeef68269de9d9d2d09275

SHA1
b8c6985dca20371d57be2577bc2a2a4c1884c14d

SHA256
1e2880383e822357afd2536aad1bf9f198df15e2efb996b872f5f0eb020b80e6

SHA512
aa8708b22a1260c394693a991fb9809b3ae16f2e498a43f5982fb99968efcdb57475ee2da781cab8b8f7eb59e97e0e0f21294d431d482dbbf4567a736361f4c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za471106.exe
Filesize
1.3MB

MD5
73fb106fdfaeef68269de9d9d2d09275

SHA1
b8c6985dca20371d57be2577bc2a2a4c1884c14d

SHA256
1e2880383e822357afd2536aad1bf9f198df15e2efb996b872f5f0eb020b80e6

SHA512
aa8708b22a1260c394693a991fb9809b3ae16f2e498a43f5982fb99968efcdb57475ee2da781cab8b8f7eb59e97e0e0f21294d431d482dbbf4567a736361f4c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
Filesize
862KB

MD5
2233f6dc0238f4b82c92b0478bad4ffa

SHA1
bba90569c4d7271037d96b61eb0cb59cb9bac83c

SHA256
17c992e3280a86dbeb419fdb447147135a1477687ff1319ffb955cfbbc601fc4

SHA512
8128f6fd2728997c20e46d5532a28ed4e4ccbd190ffc995ff5956ce140fdca714f20d9f31407bb794e9b92b66dca5dad69aaf5320f948ca6b64b8b278508dd7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za854395.exe
Filesize
862KB

MD5
2233f6dc0238f4b82c92b0478bad4ffa

SHA1
bba90569c4d7271037d96b61eb0cb59cb9bac83c

SHA256
17c992e3280a86dbeb419fdb447147135a1477687ff1319ffb955cfbbc601fc4

SHA512
8128f6fd2728997c20e46d5532a28ed4e4ccbd190ffc995ff5956ce140fdca714f20d9f31407bb794e9b92b66dca5dad69aaf5320f948ca6b64b8b278508dd7a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
Filesize
680KB

MD5
a67554e8f69e0bc3ee28adbfd8c5125d

SHA1
b0723bcf78b1cf26b2dcc0c38cd3dac278f2d37b

SHA256
0c7991872337f8c2af705f6846514bb670d0b83d98dcde63d83ded36452aa209

SHA512
ae04b12e8850856292fdc5c000ab32180fc3c0e7bd1022ef9b2225bb509d7fd7789f0b581b79b5a57377c672f68aa06c6d83bed5119185d61bcb3df94d4ba818

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\za642587.exe
Filesize
680KB

MD5
a67554e8f69e0bc3ee28adbfd8c5125d

SHA1
b0723bcf78b1cf26b2dcc0c38cd3dac278f2d37b

SHA256
0c7991872337f8c2af705f6846514bb670d0b83d98dcde63d83ded36452aa209

SHA512
ae04b12e8850856292fdc5c000ab32180fc3c0e7bd1022ef9b2225bb509d7fd7789f0b581b79b5a57377c672f68aa06c6d83bed5119185d61bcb3df94d4ba818

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
Filesize
302KB

MD5
9a24bbc66039fb71a94236514a745b75

SHA1
877502c5644011d6da6abcb90747f0161582e8f8

SHA256
825c22b3a4618a8246074d7c83e42e70c4300681bde6b8cfc49384f5d2b5e832

SHA512
ab0cf60db9585ea933a708b08984353c6227d88e3306b2f325684ee55f2c0913c8984a9b172ca17f08881127e8b3ae29156f4f699492e61333b8f7282766d785

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\27295849.exe
Filesize
302KB

MD5
9a24bbc66039fb71a94236514a745b75

SHA1
877502c5644011d6da6abcb90747f0161582e8f8

SHA256
825c22b3a4618a8246074d7c83e42e70c4300681bde6b8cfc49384f5d2b5e832

SHA512
ab0cf60db9585ea933a708b08984353c6227d88e3306b2f325684ee55f2c0913c8984a9b172ca17f08881127e8b3ae29156f4f699492e61333b8f7282766d785

Download Submit
memory/1628-105-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-116-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1628-101-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-107-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-109-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-111-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-94-0x00000000021C0000-0x0000000002218000-memory.dmp

Filesize
352KB

Download
memory/1628-103-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-99-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-97-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-113-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1628-96-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-115-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-95-0x0000000002380000-0x00000000023D6000-memory.dmp

Filesize
344KB

Download
memory/1628-114-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1628-122-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-126-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-124-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-120-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-118-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-130-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-134-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-132-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-128-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-140-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-138-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-136-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download
memory/1628-142-0x0000000002380000-0x00000000023D1000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads