7ea86dca8eeaedcaa4a17370547ca2cea9e9b6774972b8e03d2cb1fb0e798669

Analysis

max time kernel
26s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/06/2023, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft_DotNetFXCHS2.0 x64.exe
Size

45.2MB
MD5

1f383f3a372dcdd89cd40bc65af05b37
SHA1

e59cca309463a5d98daeaada83d1b05fed5126c5
SHA256

7ea86dca8eeaedcaa4a17370547ca2cea9e9b6774972b8e03d2cb1fb0e798669
SHA512

78b513540488353f9072946721b93c09e69bea2e980415d074a95dfcff8534e1a79bdb646b357ffb232910baf2ed266550391bfd6060c894cc4733d9a5026709
SSDEEP

786432:bj6+x5NFMr1wSCVs/+/5ADhGacPEW9Qc4RXmnEzPj7D0mVEQd1V3FdEgOn/3wr8p:HjMr1wPc+xVXPEWuc4xLzPfD0mV9d1VM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
616	Install.exe
1280	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
1420	Microsoft_DotNetFXCHS2.0 x64.exe
1420	Microsoft_DotNetFXCHS2.0 x64.exe
616	Install.exe
616	Install.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Microsoft_DotNetFXCHS2.0 x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Microsoft_DotNetFXCHS2.0 x64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 616	1420	Microsoft_DotNetFXCHS2.0 x64.exe	27
PID 1420 wrote to memory of 616	1420	Microsoft_DotNetFXCHS2.0 x64.exe	27
PID 1420 wrote to memory of 616	1420	Microsoft_DotNetFXCHS2.0 x64.exe	27
PID 1420 wrote to memory of 616	1420	Microsoft_DotNetFXCHS2.0 x64.exe	27

C:\Users\Admin\AppData\Local\Temp\Microsoft_DotNetFXCHS2.0 x64.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_DotNetFXCHS2.0 x64.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Custom.1033.dll

Filesize
46KB

MD5
417d9e6bc106812f0eb0e5e3250d00b9

SHA1
3fb85b002c14f6984daf98614b7b2b584526ed84

SHA256
00448fac73ae80b30879211ec7c8b0effed76e4d64d977c37d3028832b2dd292

SHA512
9b45a9942fc8eea1f9458f9e87cc96bba4ad12b7c1eb026fbd0eba13ae64d7ae95f5a5e277eaab9091102800346420bc614ac27d9d0014a499188ccf503dc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.1033.txt

Filesize
6KB

MD5
a327db8cb0b8ac5af3fdfa4e5d42c095

SHA1
76678de4ea1f7433c9dd2453c9b4b0eb25d574a6

SHA256
2ce4265eecda6a6744081b2bad7cc1dc8bfbf0417db5063b27b11e2b7d983ed3

SHA512
cc94f67b1ae5d0185c6a8d6790c225b575c3604b1642b5f492059abe067d0db0e2fc942a9fe65c18ffa7c206dae97551b8669b2af1b32a4d56a1850e5da8afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
222ef953c190bb1b98147198c92d867a

SHA1
d6dc8a9e78510624a06d4b037a50f2e692326e9b

SHA256
d551f58f5902d0b9aec9d2359f630f8cbe113c8bad394f05d0d14f762c44d0ea

SHA512
70ed013feae48e384c34efca5e3e51353dcea3ced55b5004814b3049007fe742ad91d44c1c509e6a80dcf3f3c55f758624deb0f1c8fa4a05c844d15b0784017c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
222ef953c190bb1b98147198c92d867a

SHA1
d6dc8a9e78510624a06d4b037a50f2e692326e9b

SHA256
d551f58f5902d0b9aec9d2359f630f8cbe113c8bad394f05d0d14f762c44d0ea

SHA512
70ed013feae48e384c34efca5e3e51353dcea3ced55b5004814b3049007fe742ad91d44c1c509e6a80dcf3f3c55f758624deb0f1c8fa4a05c844d15b0784017c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

Filesize
4KB

MD5
a9dea28cce4031e9eaa65cfb48dd2b70

SHA1
047bd219bf2fa2ff8e79dfd0d9c63245591a5fa1

SHA256
68ad5fb365aa4d4f28afbc451d5b50f9dfd8c6dadc3a7e40591230c51a595bb4

SHA512
b4eba12bc101ae665a994ee0f0b7cebeb9ede6993324662b27c549c06f3cefa6e7c16681c55b1648da237c7198b908173a55c281db941d33df1c7d8e1cab3938

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
84KB

MD5
bdfa53b2a26002afbfc35e78ccc988ce

SHA1
4afda1375f339caae7c5858b3e7e9ec2a246322d

SHA256
4628cf00b58c5c0b457eb302687de4677375f9467a9a2b346c74df3db5bc0174

SHA512
67304017ec572eea31f4ec4f7ba08cca927d7f972d3ad1caff4cd94d915e3bedf5eba01f53bca977c65841084b0139fc66114115b8d999eb8c6c911b6c2a6fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\netfx.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\netfx.msi

Filesize
27.0MB

MD5
6c08a2d2ac153ee27c2f22c9d297189b

SHA1
e5f21a88474fb85310c1cc8a6fd4ffd37d6f7f1d

SHA256
40be00ffd73422f957133e807f82cd137b9ed0139e2734e4016a8c4ff02fa337

SHA512
5d3b4f036253c97fa2662be95affe8872a4077f1db8417b39fc7a022f882b5b3055b5c6c820d815982b481eea32bc621ed8e7dad3fc5ae8d435ecedf5e7b26d3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\custom.1033.dll

Filesize
46KB

MD5
417d9e6bc106812f0eb0e5e3250d00b9

SHA1
3fb85b002c14f6984daf98614b7b2b584526ed84

SHA256
00448fac73ae80b30879211ec7c8b0effed76e4d64d977c37d3028832b2dd292

SHA512
9b45a9942fc8eea1f9458f9e87cc96bba4ad12b7c1eb026fbd0eba13ae64d7ae95f5a5e277eaab9091102800346420bc614ac27d9d0014a499188ccf503dc2e6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
222ef953c190bb1b98147198c92d867a

SHA1
d6dc8a9e78510624a06d4b037a50f2e692326e9b

SHA256
d551f58f5902d0b9aec9d2359f630f8cbe113c8bad394f05d0d14f762c44d0ea

SHA512
70ed013feae48e384c34efca5e3e51353dcea3ced55b5004814b3049007fe742ad91d44c1c509e6a80dcf3f3c55f758624deb0f1c8fa4a05c844d15b0784017c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
222ef953c190bb1b98147198c92d867a

SHA1
d6dc8a9e78510624a06d4b037a50f2e692326e9b

SHA256
d551f58f5902d0b9aec9d2359f630f8cbe113c8bad394f05d0d14f762c44d0ea

SHA512
70ed013feae48e384c34efca5e3e51353dcea3ced55b5004814b3049007fe742ad91d44c1c509e6a80dcf3f3c55f758624deb0f1c8fa4a05c844d15b0784017c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
222ef953c190bb1b98147198c92d867a

SHA1
d6dc8a9e78510624a06d4b037a50f2e692326e9b

SHA256
d551f58f5902d0b9aec9d2359f630f8cbe113c8bad394f05d0d14f762c44d0ea

SHA512
70ed013feae48e384c34efca5e3e51353dcea3ced55b5004814b3049007fe742ad91d44c1c509e6a80dcf3f3c55f758624deb0f1c8fa4a05c844d15b0784017c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
84KB

MD5
bdfa53b2a26002afbfc35e78ccc988ce

SHA1
4afda1375f339caae7c5858b3e7e9ec2a246322d

SHA256
4628cf00b58c5c0b457eb302687de4677375f9467a9a2b346c74df3db5bc0174

SHA512
67304017ec572eea31f4ec4f7ba08cca927d7f972d3ad1caff4cd94d915e3bedf5eba01f53bca977c65841084b0139fc66114115b8d999eb8c6c911b6c2a6fd5

Download Submit
memory/616-178-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/616-183-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download