feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74

Analysis

max time kernel
27s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe
Size

1.5MB
MD5

5117ac078ba7d5fd6dbd301035ee255b
SHA1

abee6080b0c799bb5bbccd915b2e481cf9e88f97
SHA256

feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74
SHA512

4b2b143f5c50a55229e652c8fc05da1d1894c2e401982719c19058ae925ec445c42495d6f1635192a223e461672017e3c9321cac7f9e39fac520920b5b984a0b
SSDEEP

24576:YyWnk6gtS7cdi0XmnijitlsELytJj6jNXtBmeZkinI6s3kHdzueP:fWk6gtSsi0SiWt+YytJW9tBmeZktd3An

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

GD143077.exeEl633371.exeqw662530.exe163418476.exe

pid process

1920 GD143077.exe
1760 El633371.exe
1520 qw662530.exe
1756 163418476.exe

pid	process
1920	GD143077.exe
1760	El633371.exe
1520	qw662530.exe
1756	163418476.exe

Loads dropped DLL 8 IoCs

Processes:

feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exeGD143077.exeEl633371.exeqw662530.exe163418476.exe

pid	process
1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe
1920	GD143077.exe
1920	GD143077.exe
1760	El633371.exe
1760	El633371.exe
1520	qw662530.exe
1520	qw662530.exe
1756	163418476.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GD143077.exeEl633371.exeqw662530.exefeae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	GD143077.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	El633371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	El633371.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	qw662530.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qw662530.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	GD143077.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

163418476.exe

description pid process

Token: SeDebugPrivilege 1756 163418476.exe

description	pid	process
Token: SeDebugPrivilege	1756	163418476.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exeGD143077.exeEl633371.exeqw662530.exe

description	pid	process	target process
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1856 wrote to memory of 1920	1856	feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe	GD143077.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1920 wrote to memory of 1760	1920	GD143077.exe	El633371.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1760 wrote to memory of 1520	1760	El633371.exe	qw662530.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe
PID 1520 wrote to memory of 1756	1520	qw662530.exe	163418476.exe

C:\Users\Admin\AppData\Local\Temp\feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe
"C:\Users\Admin\AppData\Local\Temp\feae71ea6711a1748d1ee409a5553f223c6cc942705bae83f47e8e8a17ff3c74.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
Filesize
1.3MB

MD5
b84b9a18e0c9a6827ec5dc42d995e717

SHA1
e5075785cf9b89739f8e4789b4c4a4300d260366

SHA256
182bc0ddf5eea8415db81392d06eb99f83f84348461c20e1ff8c44c433b45ae3

SHA512
f6cdfabd8c7b29d25ce270505a75b773a0565d6747364d9eeeb0b2e082e58e33782e955463541f90dfd165c4e660cb9d8af7802ba7bab07833912808857f96bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
Filesize
1.3MB

MD5
b84b9a18e0c9a6827ec5dc42d995e717

SHA1
e5075785cf9b89739f8e4789b4c4a4300d260366

SHA256
182bc0ddf5eea8415db81392d06eb99f83f84348461c20e1ff8c44c433b45ae3

SHA512
f6cdfabd8c7b29d25ce270505a75b773a0565d6747364d9eeeb0b2e082e58e33782e955463541f90dfd165c4e660cb9d8af7802ba7bab07833912808857f96bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
Filesize
871KB

MD5
fb7ba724f3ae2aad2281edbbf236ba37

SHA1
5952d04b952dd5415db247bb64b7917b60eb17c9

SHA256
e6ba1716016e6b05debc4277ee27f43a1d7c5a1de43b4766abdb79f0cb83e3f0

SHA512
4a867e532c9b64997a5b7c2aef867a4faa1e4956b940a6caa8b17647cbc260cf60380e3e877a57664b29c8baf807e98a1dcd01ff097230b6216b597b1e710ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
Filesize
871KB

MD5
fb7ba724f3ae2aad2281edbbf236ba37

SHA1
5952d04b952dd5415db247bb64b7917b60eb17c9

SHA256
e6ba1716016e6b05debc4277ee27f43a1d7c5a1de43b4766abdb79f0cb83e3f0

SHA512
4a867e532c9b64997a5b7c2aef867a4faa1e4956b940a6caa8b17647cbc260cf60380e3e877a57664b29c8baf807e98a1dcd01ff097230b6216b597b1e710ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
Filesize
699KB

MD5
586ea6fbf367a220ac8833785dc46752

SHA1
e9f29de92b6535d7d261459915e827e4ec763f50

SHA256
6d8f98b01fe82a5d2a4987126ca20ab78a8c45897c60c412b0c9f158ff700f90

SHA512
6df66555754c2f1326df62430011794c47b47aca0819c1735c87b80e90a110253f05cd5904c05b0e18447a62fc58e8272c4431ba169964e08804612a767a08c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
Filesize
699KB

MD5
586ea6fbf367a220ac8833785dc46752

SHA1
e9f29de92b6535d7d261459915e827e4ec763f50

SHA256
6d8f98b01fe82a5d2a4987126ca20ab78a8c45897c60c412b0c9f158ff700f90

SHA512
6df66555754c2f1326df62430011794c47b47aca0819c1735c87b80e90a110253f05cd5904c05b0e18447a62fc58e8272c4431ba169964e08804612a767a08c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
Filesize
300KB

MD5
989649f0acd85e9e56f2cba1ee605613

SHA1
77bc371fdd4dfcefeac12c6520e70c54484fe8bf

SHA256
7d16df203b78d9258e39e5fb9f0f2a3f7e1ab35d78255b478a6006c8ccf56693

SHA512
b9785f5048adb525e0d861f2e8b5ce1af944e3103d68c21cba96ca289adbd3a6543537562b07f7b7d36ec87d56778db9fc4c6ef47729876c5d3359e42cbd0364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
Filesize
300KB

MD5
989649f0acd85e9e56f2cba1ee605613

SHA1
77bc371fdd4dfcefeac12c6520e70c54484fe8bf

SHA256
7d16df203b78d9258e39e5fb9f0f2a3f7e1ab35d78255b478a6006c8ccf56693

SHA512
b9785f5048adb525e0d861f2e8b5ce1af944e3103d68c21cba96ca289adbd3a6543537562b07f7b7d36ec87d56778db9fc4c6ef47729876c5d3359e42cbd0364

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
Filesize
1.3MB

MD5
b84b9a18e0c9a6827ec5dc42d995e717

SHA1
e5075785cf9b89739f8e4789b4c4a4300d260366

SHA256
182bc0ddf5eea8415db81392d06eb99f83f84348461c20e1ff8c44c433b45ae3

SHA512
f6cdfabd8c7b29d25ce270505a75b773a0565d6747364d9eeeb0b2e082e58e33782e955463541f90dfd165c4e660cb9d8af7802ba7bab07833912808857f96bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\GD143077.exe
Filesize
1.3MB

MD5
b84b9a18e0c9a6827ec5dc42d995e717

SHA1
e5075785cf9b89739f8e4789b4c4a4300d260366

SHA256
182bc0ddf5eea8415db81392d06eb99f83f84348461c20e1ff8c44c433b45ae3

SHA512
f6cdfabd8c7b29d25ce270505a75b773a0565d6747364d9eeeb0b2e082e58e33782e955463541f90dfd165c4e660cb9d8af7802ba7bab07833912808857f96bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
Filesize
871KB

MD5
fb7ba724f3ae2aad2281edbbf236ba37

SHA1
5952d04b952dd5415db247bb64b7917b60eb17c9

SHA256
e6ba1716016e6b05debc4277ee27f43a1d7c5a1de43b4766abdb79f0cb83e3f0

SHA512
4a867e532c9b64997a5b7c2aef867a4faa1e4956b940a6caa8b17647cbc260cf60380e3e877a57664b29c8baf807e98a1dcd01ff097230b6216b597b1e710ec6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\El633371.exe
Filesize
871KB

MD5
fb7ba724f3ae2aad2281edbbf236ba37

SHA1
5952d04b952dd5415db247bb64b7917b60eb17c9

SHA256
e6ba1716016e6b05debc4277ee27f43a1d7c5a1de43b4766abdb79f0cb83e3f0

SHA512
4a867e532c9b64997a5b7c2aef867a4faa1e4956b940a6caa8b17647cbc260cf60380e3e877a57664b29c8baf807e98a1dcd01ff097230b6216b597b1e710ec6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
Filesize
699KB

MD5
586ea6fbf367a220ac8833785dc46752

SHA1
e9f29de92b6535d7d261459915e827e4ec763f50

SHA256
6d8f98b01fe82a5d2a4987126ca20ab78a8c45897c60c412b0c9f158ff700f90

SHA512
6df66555754c2f1326df62430011794c47b47aca0819c1735c87b80e90a110253f05cd5904c05b0e18447a62fc58e8272c4431ba169964e08804612a767a08c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\qw662530.exe
Filesize
699KB

MD5
586ea6fbf367a220ac8833785dc46752

SHA1
e9f29de92b6535d7d261459915e827e4ec763f50

SHA256
6d8f98b01fe82a5d2a4987126ca20ab78a8c45897c60c412b0c9f158ff700f90

SHA512
6df66555754c2f1326df62430011794c47b47aca0819c1735c87b80e90a110253f05cd5904c05b0e18447a62fc58e8272c4431ba169964e08804612a767a08c1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
Filesize
300KB

MD5
989649f0acd85e9e56f2cba1ee605613

SHA1
77bc371fdd4dfcefeac12c6520e70c54484fe8bf

SHA256
7d16df203b78d9258e39e5fb9f0f2a3f7e1ab35d78255b478a6006c8ccf56693

SHA512
b9785f5048adb525e0d861f2e8b5ce1af944e3103d68c21cba96ca289adbd3a6543537562b07f7b7d36ec87d56778db9fc4c6ef47729876c5d3359e42cbd0364

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\163418476.exe
Filesize
300KB

MD5
989649f0acd85e9e56f2cba1ee605613

SHA1
77bc371fdd4dfcefeac12c6520e70c54484fe8bf

SHA256
7d16df203b78d9258e39e5fb9f0f2a3f7e1ab35d78255b478a6006c8ccf56693

SHA512
b9785f5048adb525e0d861f2e8b5ce1af944e3103d68c21cba96ca289adbd3a6543537562b07f7b7d36ec87d56778db9fc4c6ef47729876c5d3359e42cbd0364

Download Submit
memory/1756-109-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-125-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-96-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1756-97-0x00000000021C0000-0x0000000002216000-memory.dmp

Filesize
344KB

Download
memory/1756-98-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-99-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-101-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-103-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-107-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-105-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-94-0x0000000002000000-0x0000000002058000-memory.dmp

Filesize
352KB

Download
memory/1756-113-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-111-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-117-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-115-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-119-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-121-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-123-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-127-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-95-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1756-129-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-131-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-135-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-133-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-139-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-137-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-145-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-147-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-143-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-141-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-151-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-149-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-153-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-157-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-155-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-161-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-159-0x00000000021C0000-0x0000000002211000-memory.dmp

Filesize
324KB

Download
memory/1756-167-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads