5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2023, 20:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe
Size

336KB
MD5

e0415214b4ed816d18c12c134992e9ce
SHA1

58881ed79566192adf2325b149c706df913a07ec
SHA256

5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248
SHA512

aa36acae51009bd879ff8499b2f0caec5d89171a14586bf8c99328c17bdfea495d104d6c2f5971d81d2cfe4353991edc734ecafe8da734eeb456e7f5e6329aee
SSDEEP

6144:D/0uoy49jGQtYNILesRcB8/ACdwHWy1G0wlpbVUoS1AD63xoCDp0p8:DJv496ctRpB2HWJdjxzeAD63X0p8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3560	KcsjdwUpdate5.2.0.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3560	4472	5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe	83
PID 4472 wrote to memory of 3560	4472	5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe	83

C:\Users\Admin\AppData\Local\Temp\5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe
"C:\Users\Admin\AppData\Local\Temp\5861034251e74c455471335dbb37e692036375268c61a903f02c095cbd7b6248.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KcsjdwUpdate5.2.0.0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KcsjdwUpdate5.2.0.0.exe
  2⤵
  - Executes dropped EXE
  PID:3560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KcsjdwUpdate5.2.0.0.exe

Filesize
10KB

MD5
3a39121ff162cc717be123c0b12cbee9

SHA1
4989b31ac5cb3db44cea1127e42a20a32ba71d63

SHA256
f1574d0c86218079fc5bebd648aff8f6678151c0c84d732b8a25d4956a14402f

SHA512
57f2274192708eeae811cdf6a3ff4debfb8d162943c74bfac61b4e971d73426c619a63d759296eeaaaae06eb31cf61819767753eb13253ae172cf0165862f3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KcsjdwUpdate5.2.0.0.exe

Filesize
10KB

MD5
3a39121ff162cc717be123c0b12cbee9

SHA1
4989b31ac5cb3db44cea1127e42a20a32ba71d63

SHA256
f1574d0c86218079fc5bebd648aff8f6678151c0c84d732b8a25d4956a14402f

SHA512
57f2274192708eeae811cdf6a3ff4debfb8d162943c74bfac61b4e971d73426c619a63d759296eeaaaae06eb31cf61819767753eb13253ae172cf0165862f3ad

Download Submit
memory/3560-142-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/3560-143-0x000000001B520000-0x000000001B9EE000-memory.dmp

Filesize
4.8MB

Download
memory/3560-144-0x000000001AF00000-0x000000001AF9C000-memory.dmp

Filesize
624KB

Download
memory/3560-145-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/3560-146-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/3560-147-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/3560-148-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download