f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1

Analysis

max time kernel
70s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/05/2023, 18:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
Size

1.1MB
MD5

d660aeb2d972c8e854e9699fa5ce3c41
SHA1

8e10b8a503de6ee01a59e22bc2a685a257c66c6a
SHA256

f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1
SHA512

a20806da00c093115178527517b3304e6651bb89f8f2af163c032019facdb8f7925d60e23a422912e1732e46fc81120a65208de015c558d2b27e155bbe1fae3a
SSDEEP

24576:jysODbGQ5Nq2FfvHdu5Zy2qoXGA5zCrnJ9ljZr/AXYVJeq9WsM:27bfNq2FffTkyJh0SJ99p

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1080	y7776558.exe
636	y9039116.exe
2040	k0607795.exe

Loads dropped DLL 6 IoCs

pid	Process
1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
1080	y7776558.exe
1080	y7776558.exe
636	y9039116.exe
636	y9039116.exe
2040	k0607795.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9039116.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9039116.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7776558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7776558.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	k0607795.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1160 wrote to memory of 1080	1160	f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe	27
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 1080 wrote to memory of 636	1080	y7776558.exe	28
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29
PID 636 wrote to memory of 2040	636	y9039116.exe	29

C:\Users\Admin\AppData\Local\Temp\f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe
"C:\Users\Admin\AppData\Local\Temp\f34d4e905b825bc55b30979ac3b1e25645bd5b87fffba3760d869a55247aecb1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe

Filesize
751KB

MD5
7f98abd86a0a90f1f9184b94ffeb4f0a

SHA1
621f8e424a61760f0bf64e465161494295c7f6e3

SHA256
08d365a57712b477c29cefe4d5733851dda6ea5590642f20af66e25bb2e50caa

SHA512
2eb2b6279222bd8386da94c49d8818b94fda4a06f1a72a043f78b0f34efe4e13a6c211d9ba05cb3d9d54836b0236d2be8f0e2f977aa8254c07c43358f64aab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe

Filesize
751KB

MD5
7f98abd86a0a90f1f9184b94ffeb4f0a

SHA1
621f8e424a61760f0bf64e465161494295c7f6e3

SHA256
08d365a57712b477c29cefe4d5733851dda6ea5590642f20af66e25bb2e50caa

SHA512
2eb2b6279222bd8386da94c49d8818b94fda4a06f1a72a043f78b0f34efe4e13a6c211d9ba05cb3d9d54836b0236d2be8f0e2f977aa8254c07c43358f64aab2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe

Filesize
306KB

MD5
c6d6f20a08aee8207ef4be402eba05bf

SHA1
1b8a5db9c68b6787c794ba8da3d9d7c23a063bd6

SHA256
8839715ccdc1ecacbab8f1af1a14c7efe13afedfafaf5354f63ffe5744d1881f

SHA512
ed724609b4e997c8e0051590bf4241ef8382435222022aebf291885524a2791088c26985533f91522d612cc69415b546e6a58288928ce0b086b35e2c551fd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe

Filesize
306KB

MD5
c6d6f20a08aee8207ef4be402eba05bf

SHA1
1b8a5db9c68b6787c794ba8da3d9d7c23a063bd6

SHA256
8839715ccdc1ecacbab8f1af1a14c7efe13afedfafaf5354f63ffe5744d1881f

SHA512
ed724609b4e997c8e0051590bf4241ef8382435222022aebf291885524a2791088c26985533f91522d612cc69415b546e6a58288928ce0b086b35e2c551fd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe

Filesize
185KB

MD5
78b0e66b52c24b93c5ac47b7cbca74b9

SHA1
e65251901d1735259599dacb041af723b5b32964

SHA256
3981c40d173fd07499c80d71a99a67b47598db1bc8b6857e52a8ac09d20ecb0c

SHA512
c7c4aea77c45c39e7498b7e8cd7152fcb43e8a965da0c9011720d8cc72a8d68f8ccd63fe793ecef8e59b24cb6f75f4409864bcc5f1fd1831dfb694ac5f9ed6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe

Filesize
185KB

MD5
78b0e66b52c24b93c5ac47b7cbca74b9

SHA1
e65251901d1735259599dacb041af723b5b32964

SHA256
3981c40d173fd07499c80d71a99a67b47598db1bc8b6857e52a8ac09d20ecb0c

SHA512
c7c4aea77c45c39e7498b7e8cd7152fcb43e8a965da0c9011720d8cc72a8d68f8ccd63fe793ecef8e59b24cb6f75f4409864bcc5f1fd1831dfb694ac5f9ed6d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe

Filesize
751KB

MD5
7f98abd86a0a90f1f9184b94ffeb4f0a

SHA1
621f8e424a61760f0bf64e465161494295c7f6e3

SHA256
08d365a57712b477c29cefe4d5733851dda6ea5590642f20af66e25bb2e50caa

SHA512
2eb2b6279222bd8386da94c49d8818b94fda4a06f1a72a043f78b0f34efe4e13a6c211d9ba05cb3d9d54836b0236d2be8f0e2f977aa8254c07c43358f64aab2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7776558.exe

Filesize
751KB

MD5
7f98abd86a0a90f1f9184b94ffeb4f0a

SHA1
621f8e424a61760f0bf64e465161494295c7f6e3

SHA256
08d365a57712b477c29cefe4d5733851dda6ea5590642f20af66e25bb2e50caa

SHA512
2eb2b6279222bd8386da94c49d8818b94fda4a06f1a72a043f78b0f34efe4e13a6c211d9ba05cb3d9d54836b0236d2be8f0e2f977aa8254c07c43358f64aab2d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe

Filesize
306KB

MD5
c6d6f20a08aee8207ef4be402eba05bf

SHA1
1b8a5db9c68b6787c794ba8da3d9d7c23a063bd6

SHA256
8839715ccdc1ecacbab8f1af1a14c7efe13afedfafaf5354f63ffe5744d1881f

SHA512
ed724609b4e997c8e0051590bf4241ef8382435222022aebf291885524a2791088c26985533f91522d612cc69415b546e6a58288928ce0b086b35e2c551fd42c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9039116.exe

Filesize
306KB

MD5
c6d6f20a08aee8207ef4be402eba05bf

SHA1
1b8a5db9c68b6787c794ba8da3d9d7c23a063bd6

SHA256
8839715ccdc1ecacbab8f1af1a14c7efe13afedfafaf5354f63ffe5744d1881f

SHA512
ed724609b4e997c8e0051590bf4241ef8382435222022aebf291885524a2791088c26985533f91522d612cc69415b546e6a58288928ce0b086b35e2c551fd42c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe

Filesize
185KB

MD5
78b0e66b52c24b93c5ac47b7cbca74b9

SHA1
e65251901d1735259599dacb041af723b5b32964

SHA256
3981c40d173fd07499c80d71a99a67b47598db1bc8b6857e52a8ac09d20ecb0c

SHA512
c7c4aea77c45c39e7498b7e8cd7152fcb43e8a965da0c9011720d8cc72a8d68f8ccd63fe793ecef8e59b24cb6f75f4409864bcc5f1fd1831dfb694ac5f9ed6d8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0607795.exe

Filesize
185KB

MD5
78b0e66b52c24b93c5ac47b7cbca74b9

SHA1
e65251901d1735259599dacb041af723b5b32964

SHA256
3981c40d173fd07499c80d71a99a67b47598db1bc8b6857e52a8ac09d20ecb0c

SHA512
c7c4aea77c45c39e7498b7e8cd7152fcb43e8a965da0c9011720d8cc72a8d68f8ccd63fe793ecef8e59b24cb6f75f4409864bcc5f1fd1831dfb694ac5f9ed6d8

Download Submit
memory/2040-84-0x0000000000610000-0x000000000062E000-memory.dmp

Filesize
120KB

Download
memory/2040-85-0x0000000002010000-0x000000000202C000-memory.dmp

Filesize
112KB

Download
memory/2040-86-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2040-87-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2040-89-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2040-91-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2040-93-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/2040-95-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2040-96-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2040-97-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download