a4a0e26bb4aa352f66952902cc9704d130593adacb46017c0b2a1be2b7a9269d

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.6MB
MD5

4f4c902e1e3f5f09f5e9222dbe854d5e
SHA1

60c57e3ddf1cc2f542db8a34df9538106b9e1860
SHA256

a4a0e26bb4aa352f66952902cc9704d130593adacb46017c0b2a1be2b7a9269d
SHA512

858bcb91c9d3337ac0b580d0ecaed3765f4a901753d84d1571cb3768f8e28acaf08998561a60b6691d02d54bb68d7034ec6882cdfd3ba4e928251ff9f6d5ec6b
SSDEEP

49152:6/+TH+w4lItEGTDpE+GkIrHtGsZ3JUe495xxJbDjeFl3yx8v3gUua2LE/:qgH+rIhTG+fov3Jk9vxt2LCy3DmLE/

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
968	fgnuxjype.exe

Loads dropped DLL 2 IoCs

pid	Process
900	cmd.exe
968	fgnuxjype.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
968	fgnuxjype.exe
968	fgnuxjype.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 1212 wrote to memory of 900	1212	file.exe	28
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30
PID 900 wrote to memory of 968	900	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /d /c btjwsnhf.bat 1564361155
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgnuxjype.exe
    fgnuxjype.exe limuctj.dat 1564361155
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\btjwsnhf.bat

Filesize
132B

MD5
84b95cef7846de1bafba2f35b53560fd

SHA1
ae6dddcc0524637b59e5018af825186bf9a4c513

SHA256
5f7e703ab568aefbb412e5042444ce0aaf54995dacbf2dd608f3944bdae7c975

SHA512
b374e91ad4085929be7bd3ff51dfa19e0715ee2c6ec748e2d3866480aaa77419e8d56b6f90d3c0bd7432b6611a157322ac0f3cb868cf242ccc87a26a78142689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eakyyduec.dat

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eakyyduec.dat.1

Filesize
3B

MD5
158b365b9eedcfaf539f5dedfd82ee97

SHA1
529f5d61ac99f60a8e473368eff1b32095a3e2bf

SHA256
39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90

SHA512
a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eakyyduec.dat.2

Filesize
33B

MD5
500ba63e2664798939744b8a8c9be982

SHA1
54743a77e4186cb327b803efb1ef5b3d4ac163ce

SHA256
4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba

SHA512
9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eakyyduec.dat.3

Filesize
5.2MB

MD5
a452946137958e0cee844310f9e9fa7c

SHA1
8cf21ae4d1d764154048a02fb49412ef94094485

SHA256
088a5d04f2f6d6820bf1a6a390d9c0e00f88896c932848f0c97912b861479bb9

SHA512
ef3759e134c9b0eaaf300a57d335131faa91337497f572ef7eb1058e498a071d1741a6e0947ca9e95fe92b1ca163814ce6d1d706ad5ab010d47d18038b26beaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgnuxjype.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgnuxjype.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\limuctj.dat

Filesize
1001KB

MD5
576c914f0b9bc323eef56523450fa712

SHA1
60698cebc92ba35b374456e15e207524a6c4f376

SHA256
078d0cd9763c297668f580f4e2da2f4d3ac612a8a7031281709114f09c7a4d77

SHA512
56d2282ead3132171479ac61acffa2a71153942a5ede443a2c2cd21d8f304e2f270b83acb0895c01cbe771db4f7d62ed9111f577049c73964a5e4f1c26dda00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgnuxjype.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgnuxjype.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
memory/968-80-0x000000000D100000-0x000000000D101000-memory.dmp

Filesize
4KB

Download
memory/968-82-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/968-81-0x000000002C200000-0x000000002C201000-memory.dmp

Filesize
4KB

Download
memory/968-84-0x000000003D100000-0x000000003D101000-memory.dmp

Filesize
4KB

Download
memory/968-83-0x0000000034100000-0x0000000034101000-memory.dmp

Filesize
4KB

Download
memory/968-85-0x000000000DC00000-0x000000000DC01000-memory.dmp

Filesize
4KB

Download