c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b

Analysis

max time kernel
1s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe
Size

480KB
MD5

659b0f33372db1b9322e16e4acb88d97
SHA1

6c8c4faabc456b6ef9b9b4d318b61bf700a327b4
SHA256

c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b
SHA512

5b26041ff482549a106f6795caa1f110d4283f2fa280160e0c0ee9f3c5f58e48c3524ee02d26300087214addd51dff2ea2190dc3a11ecfd6f858d1263d85c2c2
SSDEEP

6144:K7y+bnr+mp0yN90QEDqqp3TGZFeWEZaF/5d7pxBKAAI9LerOZdrISl6xLuO6wblt:5MrCy90AM3CZ+qb7pjKA9Lei3sLsqhv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5100	v2054262.exe
2868	a4083302.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2054262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2054262.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 5100	4532	c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe	85
PID 4532 wrote to memory of 5100	4532	c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe	85
PID 4532 wrote to memory of 5100	4532	c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe	85
PID 5100 wrote to memory of 2868	5100	v2054262.exe	86
PID 5100 wrote to memory of 2868	5100	v2054262.exe	86
PID 5100 wrote to memory of 2868	5100	v2054262.exe	86

C:\Users\Admin\AppData\Local\Temp\c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe
"C:\Users\Admin\AppData\Local\Temp\c3fe8dc8b58dc3161c45a620d12ca5a2f3569516e8c9b8c727bc48311fc4988b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2054262.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2054262.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4083302.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4083302.exe
    3⤵
    - Executes dropped EXE
    PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2054262.exe

Filesize
309KB

MD5
150eb56bd3f0ef6298027d5795888eae

SHA1
d5119cf6b2769e6eb8bf735b2884bf8017f76ee9

SHA256
27b52d93944975a91f6af5dea6a6f4cb8f64887520596184ec58e0a9dbb051d3

SHA512
c44a08031f1256ba5b857a28d849d44c76de4a2aa77ddcb4db3f1273557b435371cd189ba030cdaceb8024fa5b72c299315b8475d8c40216b482bfdf7af896f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2054262.exe

Filesize
309KB

MD5
150eb56bd3f0ef6298027d5795888eae

SHA1
d5119cf6b2769e6eb8bf735b2884bf8017f76ee9

SHA256
27b52d93944975a91f6af5dea6a6f4cb8f64887520596184ec58e0a9dbb051d3

SHA512
c44a08031f1256ba5b857a28d849d44c76de4a2aa77ddcb4db3f1273557b435371cd189ba030cdaceb8024fa5b72c299315b8475d8c40216b482bfdf7af896f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4083302.exe

Filesize
180KB

MD5
f615f7ec9666806eab32c9f217f190ed

SHA1
f99466e5389aabd96c3fc2e195bd01d5d49ae66a

SHA256
8c80355dc3b78e5d3cdecebc7156dacb46ae7d8dc4aba0ee101aa8cf838e11d5

SHA512
8cd8516a0976ada65d2b0d15a4690696dde3eddc5691c39e791cd2a2d5ed92a218ff55a68409704e3d289078bfd93f1257d5b288bc733b3e230f45c9195d5009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4083302.exe

Filesize
180KB

MD5
f615f7ec9666806eab32c9f217f190ed

SHA1
f99466e5389aabd96c3fc2e195bd01d5d49ae66a

SHA256
8c80355dc3b78e5d3cdecebc7156dacb46ae7d8dc4aba0ee101aa8cf838e11d5

SHA512
8cd8516a0976ada65d2b0d15a4690696dde3eddc5691c39e791cd2a2d5ed92a218ff55a68409704e3d289078bfd93f1257d5b288bc733b3e230f45c9195d5009

Download Submit