e17fc106e6cc70992f1b6d7cde3f92754815cbb2006e2d433556ce53df3f3468

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/05/2023, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32332687.exe
Size

1022KB
MD5

8175da8c5354d12a697682e1dbca5341
SHA1

c003ca27b8858b9dc7e04f43f0651004d2b52ebd
SHA256

e17fc106e6cc70992f1b6d7cde3f92754815cbb2006e2d433556ce53df3f3468
SHA512

0b5979817ad3861a7e3187034315f7699f23ca567b8cbcb4f28afe734e885fbe858ff63b65d3001259ed7044377552604abf439f0590b54ea699a8d411158ac4
SSDEEP

24576:3yZzwlgg2RuWHgwHqOfJBPNXGa18lorO:CZzwa1NHgwHqOhB5kW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1732	y3005022.exe
1808	y0544047.exe
676	k4831656.exe

Loads dropped DLL 6 IoCs

pid	Process
1216	32332687.exe
1732	y3005022.exe
1732	y3005022.exe
1808	y0544047.exe
1808	y0544047.exe
676	k4831656.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3005022.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0544047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0544047.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	32332687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32332687.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3005022.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	k4831656.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1216 wrote to memory of 1732	1216	32332687.exe	28
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1732 wrote to memory of 1808	1732	y3005022.exe	29
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30
PID 1808 wrote to memory of 676	1808	y0544047.exe	30

C:\Users\Admin\AppData\Local\Temp\32332687.exe
"C:\Users\Admin\AppData\Local\Temp\32332687.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe

Filesize
750KB

MD5
6b7eff864e8d04e1c2d80d50f5e1618a

SHA1
e1cec32a7f539d2ac59b18a15877620025c7c467

SHA256
913bd9dca4daeaba7d52f013d24a1ee428ec2b719593df397d71101d0c5a8c8f

SHA512
4d899c309d00093a9919b33b37085d4bd1beb410fcc67efc02bc803355bc78aab13beb01539ed28f423ff5e2dbbb10d1e5818400b72eaeca9acfdabc974eb1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe

Filesize
750KB

MD5
6b7eff864e8d04e1c2d80d50f5e1618a

SHA1
e1cec32a7f539d2ac59b18a15877620025c7c467

SHA256
913bd9dca4daeaba7d52f013d24a1ee428ec2b719593df397d71101d0c5a8c8f

SHA512
4d899c309d00093a9919b33b37085d4bd1beb410fcc67efc02bc803355bc78aab13beb01539ed28f423ff5e2dbbb10d1e5818400b72eaeca9acfdabc974eb1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe

Filesize
305KB

MD5
9c1608b273bd0c7e2f58da967d80d86b

SHA1
3375b24c263e26b4ba2745005a7889755a24ba8c

SHA256
fab25633324720375941571e05c664343af3d433a0f290782eefa24960191840

SHA512
17dffa102cdbbc703f4258d2934b0c9b34336fb1668db0e21c3aee4a3ac96028c79fae475eb45cb5c17dfc7eaa906bd28af7764ec6caee0a12274e4e4249a013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe

Filesize
305KB

MD5
9c1608b273bd0c7e2f58da967d80d86b

SHA1
3375b24c263e26b4ba2745005a7889755a24ba8c

SHA256
fab25633324720375941571e05c664343af3d433a0f290782eefa24960191840

SHA512
17dffa102cdbbc703f4258d2934b0c9b34336fb1668db0e21c3aee4a3ac96028c79fae475eb45cb5c17dfc7eaa906bd28af7764ec6caee0a12274e4e4249a013

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe

Filesize
185KB

MD5
d3ca1734023cffe53640bad039210e19

SHA1
027ff3144e476eeafbabc3acd493c9069b2e0c07

SHA256
864c4ca7838d90d37b56131c458131b8fcef9ce8a0e3f1c1d1433a4e7eae65ec

SHA512
e60d097ba3e37ad2ff4d0f988d3699af6ff1fa41f5e7f8501324c33869cd4866d9ca88655a09723dfcf2d7041a0fe2358bbee6b94b90daab10cc7ee3f1f27f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe

Filesize
185KB

MD5
d3ca1734023cffe53640bad039210e19

SHA1
027ff3144e476eeafbabc3acd493c9069b2e0c07

SHA256
864c4ca7838d90d37b56131c458131b8fcef9ce8a0e3f1c1d1433a4e7eae65ec

SHA512
e60d097ba3e37ad2ff4d0f988d3699af6ff1fa41f5e7f8501324c33869cd4866d9ca88655a09723dfcf2d7041a0fe2358bbee6b94b90daab10cc7ee3f1f27f8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe

Filesize
750KB

MD5
6b7eff864e8d04e1c2d80d50f5e1618a

SHA1
e1cec32a7f539d2ac59b18a15877620025c7c467

SHA256
913bd9dca4daeaba7d52f013d24a1ee428ec2b719593df397d71101d0c5a8c8f

SHA512
4d899c309d00093a9919b33b37085d4bd1beb410fcc67efc02bc803355bc78aab13beb01539ed28f423ff5e2dbbb10d1e5818400b72eaeca9acfdabc974eb1dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3005022.exe

Filesize
750KB

MD5
6b7eff864e8d04e1c2d80d50f5e1618a

SHA1
e1cec32a7f539d2ac59b18a15877620025c7c467

SHA256
913bd9dca4daeaba7d52f013d24a1ee428ec2b719593df397d71101d0c5a8c8f

SHA512
4d899c309d00093a9919b33b37085d4bd1beb410fcc67efc02bc803355bc78aab13beb01539ed28f423ff5e2dbbb10d1e5818400b72eaeca9acfdabc974eb1dd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe

Filesize
305KB

MD5
9c1608b273bd0c7e2f58da967d80d86b

SHA1
3375b24c263e26b4ba2745005a7889755a24ba8c

SHA256
fab25633324720375941571e05c664343af3d433a0f290782eefa24960191840

SHA512
17dffa102cdbbc703f4258d2934b0c9b34336fb1668db0e21c3aee4a3ac96028c79fae475eb45cb5c17dfc7eaa906bd28af7764ec6caee0a12274e4e4249a013

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0544047.exe

Filesize
305KB

MD5
9c1608b273bd0c7e2f58da967d80d86b

SHA1
3375b24c263e26b4ba2745005a7889755a24ba8c

SHA256
fab25633324720375941571e05c664343af3d433a0f290782eefa24960191840

SHA512
17dffa102cdbbc703f4258d2934b0c9b34336fb1668db0e21c3aee4a3ac96028c79fae475eb45cb5c17dfc7eaa906bd28af7764ec6caee0a12274e4e4249a013

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe

Filesize
185KB

MD5
d3ca1734023cffe53640bad039210e19

SHA1
027ff3144e476eeafbabc3acd493c9069b2e0c07

SHA256
864c4ca7838d90d37b56131c458131b8fcef9ce8a0e3f1c1d1433a4e7eae65ec

SHA512
e60d097ba3e37ad2ff4d0f988d3699af6ff1fa41f5e7f8501324c33869cd4866d9ca88655a09723dfcf2d7041a0fe2358bbee6b94b90daab10cc7ee3f1f27f8b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4831656.exe

Filesize
185KB

MD5
d3ca1734023cffe53640bad039210e19

SHA1
027ff3144e476eeafbabc3acd493c9069b2e0c07

SHA256
864c4ca7838d90d37b56131c458131b8fcef9ce8a0e3f1c1d1433a4e7eae65ec

SHA512
e60d097ba3e37ad2ff4d0f988d3699af6ff1fa41f5e7f8501324c33869cd4866d9ca88655a09723dfcf2d7041a0fe2358bbee6b94b90daab10cc7ee3f1f27f8b

Download Submit
memory/676-88-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/676-85-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/676-86-0x0000000002130000-0x000000000214C000-memory.dmp

Filesize
112KB

Download
memory/676-87-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/676-84-0x0000000000B00000-0x0000000000B1E000-memory.dmp

Filesize
120KB

Download
memory/676-90-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/676-92-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/676-94-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/676-96-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/676-97-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/676-98-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download