fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07

Analysis

max time kernel
26s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe
Size

1.5MB
MD5

8da64a1d648291e5ae3616b9b41d479e
SHA1

4f0bbbf4b2942f76acce0814f5ed1f4d55187bf3
SHA256

fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07
SHA512

a9e5f4fc563b170c717675c82dc1db93c7ea1e299dd98bbb302b19614c25c31ba1be6d448ef3aab374504f621e7ed4b18615d54299f6f9f867b31992c6851573
SSDEEP

24576:Kyo67D6SttawPQC3VpItPAYgHnpU5txX1AUaT3qNUuotU/Zkay:R68tajC3VOtI1nOt23qa3e/ea

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

eR875845.exeQm475675.exenW750607.exe126971296.exe

pid process

1672 eR875845.exe
1388 Qm475675.exe
1004 nW750607.exe
824 126971296.exe

pid	process
1672	eR875845.exe
1388	Qm475675.exe
1004	nW750607.exe
824	126971296.exe

Loads dropped DLL 8 IoCs

Processes:

fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exeeR875845.exeQm475675.exenW750607.exe126971296.exe

pid	process
1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe
1672	eR875845.exe
1672	eR875845.exe
1388	Qm475675.exe
1388	Qm475675.exe
1004	nW750607.exe
1004	nW750607.exe
824	126971296.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nW750607.exefd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exeeR875845.exeQm475675.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nW750607.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eR875845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eR875845.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Qm475675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Qm475675.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	nW750607.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

126971296.exe

description pid process

Token: SeDebugPrivilege 824 126971296.exe

description	pid	process
Token: SeDebugPrivilege	824	126971296.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exeeR875845.exeQm475675.exenW750607.exe

description	pid	process	target process
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1512 wrote to memory of 1672	1512	fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe	eR875845.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1672 wrote to memory of 1388	1672	eR875845.exe	Qm475675.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1388 wrote to memory of 1004	1388	Qm475675.exe	nW750607.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe
PID 1004 wrote to memory of 824	1004	nW750607.exe	126971296.exe

C:\Users\Admin\AppData\Local\Temp\fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe
"C:\Users\Admin\AppData\Local\Temp\fd0a494afc0a6e07885d1a5e9823a61f141f8d6d8dac0564d4ade9fd75718c07.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:824

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
Filesize
1.4MB

MD5
d3761150f7cdad1c37855327badc7ddd

SHA1
6fc00348407018c6cb96c249351b52ea3872c915

SHA256
585d7c58687688a618e1eb7f26b8f29d6d404d4eb823d469895a751788542c63

SHA512
c43ba59bbfe411fc4c8617ccd83b3019f8d8b228ede1d260ff1c3d8aa63c3084fc8c4a9a253ea93e1f6c149693fc5c925384c9ff0e0276662b48bf819251255e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
Filesize
1.4MB

MD5
d3761150f7cdad1c37855327badc7ddd

SHA1
6fc00348407018c6cb96c249351b52ea3872c915

SHA256
585d7c58687688a618e1eb7f26b8f29d6d404d4eb823d469895a751788542c63

SHA512
c43ba59bbfe411fc4c8617ccd83b3019f8d8b228ede1d260ff1c3d8aa63c3084fc8c4a9a253ea93e1f6c149693fc5c925384c9ff0e0276662b48bf819251255e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
Filesize
888KB

MD5
a4fb8c9b7fb5ad8d7d56859c197910c4

SHA1
c67a710c08f6c3e7fff8220ea6bc295fd57c6f35

SHA256
529db11723f26561ff71792c6e9661bc28e66b87dc2667c9682684f7da8a4031

SHA512
8af473187c4bca31a155e43615e938dcca7853a34511a8f5c13668ea8a3f578f565b2f39e66d65f44442a755b908fbb600929c41d43da6f61f5c8607d7f70130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
Filesize
888KB

MD5
a4fb8c9b7fb5ad8d7d56859c197910c4

SHA1
c67a710c08f6c3e7fff8220ea6bc295fd57c6f35

SHA256
529db11723f26561ff71792c6e9661bc28e66b87dc2667c9682684f7da8a4031

SHA512
8af473187c4bca31a155e43615e938dcca7853a34511a8f5c13668ea8a3f578f565b2f39e66d65f44442a755b908fbb600929c41d43da6f61f5c8607d7f70130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
Filesize
716KB

MD5
89935f0623c1e35fb637cfe210935592

SHA1
44b99ee1a9c7711a377421976b87ff544b803029

SHA256
6ff77c22f4097c9c39905290a3ad3aa96b94569afd14b3faa71d9fe67948beeb

SHA512
af17a4055620a3c7dc06a5891e73b35a587dfac98b250c7fe5d6a4336c9aa1baec3e71939246595271abc56c5ae2f2e49d2da6f0497fb57b5819dd2d9680e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
Filesize
716KB

MD5
89935f0623c1e35fb637cfe210935592

SHA1
44b99ee1a9c7711a377421976b87ff544b803029

SHA256
6ff77c22f4097c9c39905290a3ad3aa96b94569afd14b3faa71d9fe67948beeb

SHA512
af17a4055620a3c7dc06a5891e73b35a587dfac98b250c7fe5d6a4336c9aa1baec3e71939246595271abc56c5ae2f2e49d2da6f0497fb57b5819dd2d9680e849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
Filesize
299KB

MD5
78ff583f11baf0ba709afb1ec91ed0d7

SHA1
c7499d8ab95c50e63300c62ab6693aad3f8c49e9

SHA256
ba154d78cc79de514942de56ed8ea5f40a1e367536f75807cbfcdcd201bc64a1

SHA512
43fe569fb34e57934c068154b0cdd316baeae010a92f2fc5240ab5f6ca95525f338ce151a88422991fafde3c000ad60f03d5ef6d609aedd196e7d27e60c07749

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
Filesize
299KB

MD5
78ff583f11baf0ba709afb1ec91ed0d7

SHA1
c7499d8ab95c50e63300c62ab6693aad3f8c49e9

SHA256
ba154d78cc79de514942de56ed8ea5f40a1e367536f75807cbfcdcd201bc64a1

SHA512
43fe569fb34e57934c068154b0cdd316baeae010a92f2fc5240ab5f6ca95525f338ce151a88422991fafde3c000ad60f03d5ef6d609aedd196e7d27e60c07749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
Filesize
1.4MB

MD5
d3761150f7cdad1c37855327badc7ddd

SHA1
6fc00348407018c6cb96c249351b52ea3872c915

SHA256
585d7c58687688a618e1eb7f26b8f29d6d404d4eb823d469895a751788542c63

SHA512
c43ba59bbfe411fc4c8617ccd83b3019f8d8b228ede1d260ff1c3d8aa63c3084fc8c4a9a253ea93e1f6c149693fc5c925384c9ff0e0276662b48bf819251255e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\eR875845.exe
Filesize
1.4MB

MD5
d3761150f7cdad1c37855327badc7ddd

SHA1
6fc00348407018c6cb96c249351b52ea3872c915

SHA256
585d7c58687688a618e1eb7f26b8f29d6d404d4eb823d469895a751788542c63

SHA512
c43ba59bbfe411fc4c8617ccd83b3019f8d8b228ede1d260ff1c3d8aa63c3084fc8c4a9a253ea93e1f6c149693fc5c925384c9ff0e0276662b48bf819251255e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
Filesize
888KB

MD5
a4fb8c9b7fb5ad8d7d56859c197910c4

SHA1
c67a710c08f6c3e7fff8220ea6bc295fd57c6f35

SHA256
529db11723f26561ff71792c6e9661bc28e66b87dc2667c9682684f7da8a4031

SHA512
8af473187c4bca31a155e43615e938dcca7853a34511a8f5c13668ea8a3f578f565b2f39e66d65f44442a755b908fbb600929c41d43da6f61f5c8607d7f70130

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qm475675.exe
Filesize
888KB

MD5
a4fb8c9b7fb5ad8d7d56859c197910c4

SHA1
c67a710c08f6c3e7fff8220ea6bc295fd57c6f35

SHA256
529db11723f26561ff71792c6e9661bc28e66b87dc2667c9682684f7da8a4031

SHA512
8af473187c4bca31a155e43615e938dcca7853a34511a8f5c13668ea8a3f578f565b2f39e66d65f44442a755b908fbb600929c41d43da6f61f5c8607d7f70130

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
Filesize
716KB

MD5
89935f0623c1e35fb637cfe210935592

SHA1
44b99ee1a9c7711a377421976b87ff544b803029

SHA256
6ff77c22f4097c9c39905290a3ad3aa96b94569afd14b3faa71d9fe67948beeb

SHA512
af17a4055620a3c7dc06a5891e73b35a587dfac98b250c7fe5d6a4336c9aa1baec3e71939246595271abc56c5ae2f2e49d2da6f0497fb57b5819dd2d9680e849

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\nW750607.exe
Filesize
716KB

MD5
89935f0623c1e35fb637cfe210935592

SHA1
44b99ee1a9c7711a377421976b87ff544b803029

SHA256
6ff77c22f4097c9c39905290a3ad3aa96b94569afd14b3faa71d9fe67948beeb

SHA512
af17a4055620a3c7dc06a5891e73b35a587dfac98b250c7fe5d6a4336c9aa1baec3e71939246595271abc56c5ae2f2e49d2da6f0497fb57b5819dd2d9680e849

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
Filesize
299KB

MD5
78ff583f11baf0ba709afb1ec91ed0d7

SHA1
c7499d8ab95c50e63300c62ab6693aad3f8c49e9

SHA256
ba154d78cc79de514942de56ed8ea5f40a1e367536f75807cbfcdcd201bc64a1

SHA512
43fe569fb34e57934c068154b0cdd316baeae010a92f2fc5240ab5f6ca95525f338ce151a88422991fafde3c000ad60f03d5ef6d609aedd196e7d27e60c07749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\126971296.exe
Filesize
299KB

MD5
78ff583f11baf0ba709afb1ec91ed0d7

SHA1
c7499d8ab95c50e63300c62ab6693aad3f8c49e9

SHA256
ba154d78cc79de514942de56ed8ea5f40a1e367536f75807cbfcdcd201bc64a1

SHA512
43fe569fb34e57934c068154b0cdd316baeae010a92f2fc5240ab5f6ca95525f338ce151a88422991fafde3c000ad60f03d5ef6d609aedd196e7d27e60c07749

Download Submit
memory/824-123-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-121-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-95-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/824-97-0x0000000004900000-0x0000000004956000-memory.dmp

Filesize
344KB

Download
memory/824-101-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-113-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-94-0x00000000024F0000-0x0000000002548000-memory.dmp

Filesize
352KB

Download
memory/824-125-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-131-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-137-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-139-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-135-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-133-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-129-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-127-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-96-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/824-119-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-117-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-115-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-111-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-109-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-107-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-105-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-103-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-99-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-98-0x0000000004900000-0x0000000004951000-memory.dmp

Filesize
324KB

Download
memory/824-141-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/824-142-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/824-143-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads