bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3715ca8d93d5a5bdc499013cf.exe
Size

343KB
MD5

3715ca8d93d5a5bdc499013cfc55da11
SHA1

e6c0c9a85aa722a06f3d4dd15e0aec7c779fad25
SHA256

bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
SHA512

b0983bbae356957a988ef707f1ac06c87757588735af779b7ce02b6ec245b274f1b5e778c3a3ef23a4004a85dda980fc6dad728046c81c1803c5b2eb142d9750
SSDEEP

6144:5ahOlp0yN90QE+8/3rwzkz3KKkg1sXLQphN1oF2U++wBS8:5ity90g8/bwzkmg7hNd88

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rundetermine.exe

pid process

3000 rundetermine.exe

pid	process
3000	rundetermine.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3715ca8d93d5a5bdc499013cf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	3715ca8d93d5a5bdc499013cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3715ca8d93d5a5bdc499013cf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundetermine.exe

description pid process

Token: SeDebugPrivilege 3000 rundetermine.exe

description	pid	process
Token: SeDebugPrivilege	3000	rundetermine.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3715ca8d93d5a5bdc499013cf.exe

description	pid	process	target process
PID 2380 wrote to memory of 3000	2380	3715ca8d93d5a5bdc499013cf.exe	rundetermine.exe
PID 2380 wrote to memory of 3000	2380	3715ca8d93d5a5bdc499013cf.exe	rundetermine.exe
PID 2380 wrote to memory of 3000	2380	3715ca8d93d5a5bdc499013cf.exe	rundetermine.exe
PID 2380 wrote to memory of 3000	2380	3715ca8d93d5a5bdc499013cf.exe	rundetermine.exe

C:\Users\Admin\AppData\Local\Temp\3715ca8d93d5a5bdc499013cf.exe
"C:\Users\Admin\AppData\Local\Temp\3715ca8d93d5a5bdc499013cf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exe

Filesize
207KB

MD5
ad4b59ad0a43f64ad7cd725799903a9a

SHA1
10faa3c43f8100f6e76a137444fbd870feada6fb

SHA256
0eb4f83c40fc9bf8879d752c3a91cf01f026055baaaf83df2bf126242cc562fa

SHA512
d33236bd7b656b725dccffbd2a9da41caa20e6b391a400a05986b402cdb99fd7adff4003f7c3320dbc1bfb921285e828d1729d319b2ff862006fd62adeee5cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exe

Filesize
207KB

MD5
ad4b59ad0a43f64ad7cd725799903a9a

SHA1
10faa3c43f8100f6e76a137444fbd870feada6fb

SHA256
0eb4f83c40fc9bf8879d752c3a91cf01f026055baaaf83df2bf126242cc562fa

SHA512
d33236bd7b656b725dccffbd2a9da41caa20e6b391a400a05986b402cdb99fd7adff4003f7c3320dbc1bfb921285e828d1729d319b2ff862006fd62adeee5cdf

Download Submit
memory/3000-62-0x0000000001050000-0x000000000108A000-memory.dmp

Filesize
232KB

Download
memory/3000-63-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/3000-64-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download