Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
09-07-2023 11:03
Static task
static1
Behavioral task
behavioral1
Sample
3715ca8d93d5a5bdc499013cf.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
3715ca8d93d5a5bdc499013cf.exe
Resource
win10v2004-20230703-en
General
-
Target
3715ca8d93d5a5bdc499013cf.exe
-
Size
343KB
-
MD5
3715ca8d93d5a5bdc499013cfc55da11
-
SHA1
e6c0c9a85aa722a06f3d4dd15e0aec7c779fad25
-
SHA256
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
-
SHA512
b0983bbae356957a988ef707f1ac06c87757588735af779b7ce02b6ec245b274f1b5e778c3a3ef23a4004a85dda980fc6dad728046c81c1803c5b2eb142d9750
-
SSDEEP
6144:5ahOlp0yN90QE+8/3rwzkz3KKkg1sXLQphN1oF2U++wBS8:5ity90g8/bwzkmg7hNd88
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundetermine.exepid process 1400 rundetermine.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3715ca8d93d5a5bdc499013cf.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 3715ca8d93d5a5bdc499013cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3715ca8d93d5a5bdc499013cf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundetermine.exedescription pid process Token: SeDebugPrivilege 1400 rundetermine.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3715ca8d93d5a5bdc499013cf.exedescription pid process target process PID 2436 wrote to memory of 1400 2436 3715ca8d93d5a5bdc499013cf.exe rundetermine.exe PID 2436 wrote to memory of 1400 2436 3715ca8d93d5a5bdc499013cf.exe rundetermine.exe PID 2436 wrote to memory of 1400 2436 3715ca8d93d5a5bdc499013cf.exe rundetermine.exe PID 2436 wrote to memory of 1400 2436 3715ca8d93d5a5bdc499013cf.exe rundetermine.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3715ca8d93d5a5bdc499013cf.exe"C:\Users\Admin\AppData\Local\Temp\3715ca8d93d5a5bdc499013cf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundetermine.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5ad4b59ad0a43f64ad7cd725799903a9a
SHA110faa3c43f8100f6e76a137444fbd870feada6fb
SHA2560eb4f83c40fc9bf8879d752c3a91cf01f026055baaaf83df2bf126242cc562fa
SHA512d33236bd7b656b725dccffbd2a9da41caa20e6b391a400a05986b402cdb99fd7adff4003f7c3320dbc1bfb921285e828d1729d319b2ff862006fd62adeee5cdf
-
Filesize
207KB
MD5ad4b59ad0a43f64ad7cd725799903a9a
SHA110faa3c43f8100f6e76a137444fbd870feada6fb
SHA2560eb4f83c40fc9bf8879d752c3a91cf01f026055baaaf83df2bf126242cc562fa
SHA512d33236bd7b656b725dccffbd2a9da41caa20e6b391a400a05986b402cdb99fd7adff4003f7c3320dbc1bfb921285e828d1729d319b2ff862006fd62adeee5cdf