ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-05-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe
Size

1.1MB
MD5

32fe44fc0a6d3c7577ff18c2fb40508e
SHA1

67aa82dc154ae99b0b5124f43fcd4e7aa1bd671e
SHA256

ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0
SHA512

7f78bc41d971f6e081a1172508b9f9d4dec7d00022759f6fed27f0da59e0abb1dd669b950178734ecdf4859a864e6ea07773fc20b7ea677fab9f393f94ea64c3
SSDEEP

24576:ay2uztqinq/Q99lIvducJs1ST3jnZWPVWtyGr5lqQdbvTCgVf:h24qinqI99ODs1ST3jnMPVWUMHqQdbv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

z7463897.exez7496759.exeo6641669.exe

pid process

1724 z7463897.exe
1988 z7496759.exe
572 o6641669.exe

pid	process
1724	z7463897.exe
1988	z7496759.exe
572	o6641669.exe

Loads dropped DLL 6 IoCs

Processes:

ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exez7463897.exez7496759.exeo6641669.exe

pid	process
2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe
1724	z7463897.exe
1724	z7463897.exe
1988	z7496759.exe
1988	z7496759.exe
572	o6641669.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exez7463897.exez7496759.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7463897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7463897.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z7496759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7496759.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

o6641669.exe

description pid process

Token: SeDebugPrivilege 572 o6641669.exe

description	pid	process
Token: SeDebugPrivilege	572	o6641669.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exez7463897.exez7496759.exe

description	pid	process	target process
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 2044 wrote to memory of 1724	2044	ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe	z7463897.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1724 wrote to memory of 1988	1724	z7463897.exe	z7496759.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe
PID 1988 wrote to memory of 572	1988	z7496759.exe	o6641669.exe

C:\Users\Admin\AppData\Local\Temp\ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe
"C:\Users\Admin\AppData\Local\Temp\ccc04c5a527ac230f83d6080d2b00cff035892bb1c50a9a495c8dd484365a8c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
Filesize
700KB

MD5
dc7fec55dfd14891e2b306c01f72fde0

SHA1
90ca2845ae010330078e7410edac47a024c87f5b

SHA256
f5b28240c8e0d710feaf1c2b8c9d6da9a642bb395e40a182b798dbdd815c2df2

SHA512
62039c7e9005a05aef53c0d800b1891ef0116113c19173a5bb1636eac98f53e0475682dad4ea73aa74ff0759c4eb4e7d0446e134139669025ce30fe56f4338f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
Filesize
700KB

MD5
dc7fec55dfd14891e2b306c01f72fde0

SHA1
90ca2845ae010330078e7410edac47a024c87f5b

SHA256
f5b28240c8e0d710feaf1c2b8c9d6da9a642bb395e40a182b798dbdd815c2df2

SHA512
62039c7e9005a05aef53c0d800b1891ef0116113c19173a5bb1636eac98f53e0475682dad4ea73aa74ff0759c4eb4e7d0446e134139669025ce30fe56f4338f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
Filesize
305KB

MD5
526117a648d8efba4bab51d44b1d1765

SHA1
52b22a14f2c0d204e29699ccc3020ed5cee2be2a

SHA256
a30fad5ac0fbf444979666e1f6b72d870ee97bc5fc17f388fa9c4e765746b3c7

SHA512
84ccd0f6f4b15923eb751ac09e83cbd37d4be5cd50f42afec5b12fa89b5c48ac3a5e5fd80b3fb3de1c61497993a4a33b671aa1e32f47ea8e34fba06baa8f5ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
Filesize
305KB

MD5
526117a648d8efba4bab51d44b1d1765

SHA1
52b22a14f2c0d204e29699ccc3020ed5cee2be2a

SHA256
a30fad5ac0fbf444979666e1f6b72d870ee97bc5fc17f388fa9c4e765746b3c7

SHA512
84ccd0f6f4b15923eb751ac09e83cbd37d4be5cd50f42afec5b12fa89b5c48ac3a5e5fd80b3fb3de1c61497993a4a33b671aa1e32f47ea8e34fba06baa8f5ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
Filesize
183KB

MD5
f538b59d2c51c27daf26beeb862ee0f2

SHA1
4edd3110a1d5b765bb63b09b9195c75f1f2871b9

SHA256
03e24c7abc2b8618c721e4d4d6b9ee99a557e99d4b54f68bbd9e66cef083a657

SHA512
e4a9158c9fdee9cf0074a6440632eea38c57d65078c3a48c243043c7aeb8440556da1ea86f7f56054245b4515931f76e4bae0706fce8e0274fe1bb5a700e022e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
Filesize
183KB

MD5
f538b59d2c51c27daf26beeb862ee0f2

SHA1
4edd3110a1d5b765bb63b09b9195c75f1f2871b9

SHA256
03e24c7abc2b8618c721e4d4d6b9ee99a557e99d4b54f68bbd9e66cef083a657

SHA512
e4a9158c9fdee9cf0074a6440632eea38c57d65078c3a48c243043c7aeb8440556da1ea86f7f56054245b4515931f76e4bae0706fce8e0274fe1bb5a700e022e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
Filesize
700KB

MD5
dc7fec55dfd14891e2b306c01f72fde0

SHA1
90ca2845ae010330078e7410edac47a024c87f5b

SHA256
f5b28240c8e0d710feaf1c2b8c9d6da9a642bb395e40a182b798dbdd815c2df2

SHA512
62039c7e9005a05aef53c0d800b1891ef0116113c19173a5bb1636eac98f53e0475682dad4ea73aa74ff0759c4eb4e7d0446e134139669025ce30fe56f4338f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7463897.exe
Filesize
700KB

MD5
dc7fec55dfd14891e2b306c01f72fde0

SHA1
90ca2845ae010330078e7410edac47a024c87f5b

SHA256
f5b28240c8e0d710feaf1c2b8c9d6da9a642bb395e40a182b798dbdd815c2df2

SHA512
62039c7e9005a05aef53c0d800b1891ef0116113c19173a5bb1636eac98f53e0475682dad4ea73aa74ff0759c4eb4e7d0446e134139669025ce30fe56f4338f4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
Filesize
305KB

MD5
526117a648d8efba4bab51d44b1d1765

SHA1
52b22a14f2c0d204e29699ccc3020ed5cee2be2a

SHA256
a30fad5ac0fbf444979666e1f6b72d870ee97bc5fc17f388fa9c4e765746b3c7

SHA512
84ccd0f6f4b15923eb751ac09e83cbd37d4be5cd50f42afec5b12fa89b5c48ac3a5e5fd80b3fb3de1c61497993a4a33b671aa1e32f47ea8e34fba06baa8f5ab6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7496759.exe
Filesize
305KB

MD5
526117a648d8efba4bab51d44b1d1765

SHA1
52b22a14f2c0d204e29699ccc3020ed5cee2be2a

SHA256
a30fad5ac0fbf444979666e1f6b72d870ee97bc5fc17f388fa9c4e765746b3c7

SHA512
84ccd0f6f4b15923eb751ac09e83cbd37d4be5cd50f42afec5b12fa89b5c48ac3a5e5fd80b3fb3de1c61497993a4a33b671aa1e32f47ea8e34fba06baa8f5ab6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
Filesize
183KB

MD5
f538b59d2c51c27daf26beeb862ee0f2

SHA1
4edd3110a1d5b765bb63b09b9195c75f1f2871b9

SHA256
03e24c7abc2b8618c721e4d4d6b9ee99a557e99d4b54f68bbd9e66cef083a657

SHA512
e4a9158c9fdee9cf0074a6440632eea38c57d65078c3a48c243043c7aeb8440556da1ea86f7f56054245b4515931f76e4bae0706fce8e0274fe1bb5a700e022e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\o6641669.exe
Filesize
183KB

MD5
f538b59d2c51c27daf26beeb862ee0f2

SHA1
4edd3110a1d5b765bb63b09b9195c75f1f2871b9

SHA256
03e24c7abc2b8618c721e4d4d6b9ee99a557e99d4b54f68bbd9e66cef083a657

SHA512
e4a9158c9fdee9cf0074a6440632eea38c57d65078c3a48c243043c7aeb8440556da1ea86f7f56054245b4515931f76e4bae0706fce8e0274fe1bb5a700e022e

Download Submit
memory/572-84-0x0000000000810000-0x000000000082E000-memory.dmp

Filesize
120KB

Download
memory/572-85-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/572-86-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/572-87-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/572-88-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-89-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-91-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-93-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-95-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-97-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-99-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-101-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-103-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-105-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/572-107-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads