ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6

Analysis

max time kernel
143s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe
Size

774KB
MD5

7e8c77957aabd90b04285fb90a7919e9
SHA1

26260e7ba062f2d2e31ef1ae4d81058da9714531
SHA256

ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6
SHA512

ae3eafdf1526de62dcca2ac827e16ba63d9f9bcb9b5bde863a21c7cde4ad6dd703460a2564953e24ddf9a3a15fe1face88574708b61543cca078696d6901e098
SSDEEP

12288:Ay903YpaxY9FofydHEV4fIjp8O6RccW1xubYKQA2/CQjxB1f949lrP:Ay0N8pp2BarW1xuUKM/CQjMrP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

x69754530.exem53520289.exe

pid process

1868 x69754530.exe
1352 m53520289.exe

pid	process
1868	x69754530.exe
1352	m53520289.exe

Loads dropped DLL 5 IoCs

Processes:

ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exex69754530.exem53520289.exe

pid	process
1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe
1868	x69754530.exe
1868	x69754530.exe
1868	x69754530.exe
1352	m53520289.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x69754530.execcf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x69754530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x69754530.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

m53520289.exe

description pid process

Token: SeDebugPrivilege 1352 m53520289.exe

description	pid	process
Token: SeDebugPrivilege	1352	m53520289.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exex69754530.exe

description	pid	process	target process
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1692 wrote to memory of 1868	1692	ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe	x69754530.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe
PID 1868 wrote to memory of 1352	1868	x69754530.exe	m53520289.exe

C:\Users\Admin\AppData\Local\Temp\ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe
"C:\Users\Admin\AppData\Local\Temp\ccf46e1435a571a141e49330233bc3d5deebb0af68a78ed54d1575cb5df56be6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
Filesize
570KB

MD5
f5abc062e4c67b8d120807691d954eb3

SHA1
8304ddab29cfcdac64420733033425eb71ae06c1

SHA256
ec8f5493a2e616a84a3f1620b981ea9c4d5903364eb922285de0b4bdd3dbf2b9

SHA512
38c4dd104c2629f548453a7e2a99c97621d859117546d7346ad0cfc76099e4f60a73c8afb0a200227999df2f3e5d0bb9dbe6c906d5f5806422e79ee87f9d082b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
Filesize
570KB

MD5
f5abc062e4c67b8d120807691d954eb3

SHA1
8304ddab29cfcdac64420733033425eb71ae06c1

SHA256
ec8f5493a2e616a84a3f1620b981ea9c4d5903364eb922285de0b4bdd3dbf2b9

SHA512
38c4dd104c2629f548453a7e2a99c97621d859117546d7346ad0cfc76099e4f60a73c8afb0a200227999df2f3e5d0bb9dbe6c906d5f5806422e79ee87f9d082b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
Filesize
570KB

MD5
f5abc062e4c67b8d120807691d954eb3

SHA1
8304ddab29cfcdac64420733033425eb71ae06c1

SHA256
ec8f5493a2e616a84a3f1620b981ea9c4d5903364eb922285de0b4bdd3dbf2b9

SHA512
38c4dd104c2629f548453a7e2a99c97621d859117546d7346ad0cfc76099e4f60a73c8afb0a200227999df2f3e5d0bb9dbe6c906d5f5806422e79ee87f9d082b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x69754530.exe
Filesize
570KB

MD5
f5abc062e4c67b8d120807691d954eb3

SHA1
8304ddab29cfcdac64420733033425eb71ae06c1

SHA256
ec8f5493a2e616a84a3f1620b981ea9c4d5903364eb922285de0b4bdd3dbf2b9

SHA512
38c4dd104c2629f548453a7e2a99c97621d859117546d7346ad0cfc76099e4f60a73c8afb0a200227999df2f3e5d0bb9dbe6c906d5f5806422e79ee87f9d082b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m53520289.exe
Filesize
488KB

MD5
8f25b56d7b831826423384967b29bac5

SHA1
c1723648eecf9c5f88eaf96d29f9ae126d9c5276

SHA256
a614fb8fd9f438fb79e1066fdd2a8fcd4a1c1abe144657185dd41abba0ad2a27

SHA512
1b03a0387e46c215de2615fec54b38bc0524ec94f29aba3344e692dd827766daa3db3af06bcf019a4ee3ab92e16c32294f6084e742d262ab9aaaf58f48f23766

Download Submit
memory/1352-85-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-99-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-80-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1352-81-0x0000000004F00000-0x0000000004F66000-memory.dmp

Filesize
408KB

Download
memory/1352-82-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-83-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-78-0x0000000004E30000-0x0000000004E98000-memory.dmp

Filesize
416KB

Download
memory/1352-87-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-89-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-91-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-93-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-95-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-97-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-79-0x0000000002250000-0x00000000022AB000-memory.dmp

Filesize
364KB

Download
memory/1352-101-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-103-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-109-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-107-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-105-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-113-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-111-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-115-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-119-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-117-0x0000000004F00000-0x0000000004F60000-memory.dmp

Filesize
384KB

Download
memory/1352-121-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads