379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc163bfdeb6e36b226e816f4d.exe
Size

199KB
MD5

fc163bfdeb6e36b226e816f4d58af8b6
SHA1

f04406d51542af259d53990d46f31cf7068b23fc
SHA256

379d1597e3930745f2652d746d6671a801390d86e16c8694e0ff46132d915aba
SHA512

ce4f3b8904f70b243afd4316ccab0f7e500ba3380cd667c97156387d8d19c06a45f780b4ed5b3192acd1e9a5ae83c90bdca377571a150e1153d455eea84ca5c4
SSDEEP

3072:QahKyd2n3185GWp1icKAArDZz4N9GhbkrNEk1cjhsDWCq49ET:QahOMp0yN90QE5hs6Cql

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

linetechnical.exe

pid process

3024 linetechnical.exe

pid	process
3024	linetechnical.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fc163bfdeb6e36b226e816f4d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	fc163bfdeb6e36b226e816f4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fc163bfdeb6e36b226e816f4d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

linetechnical.exe

description pid process

Token: SeDebugPrivilege 3024 linetechnical.exe

description	pid	process
Token: SeDebugPrivilege	3024	linetechnical.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fc163bfdeb6e36b226e816f4d.exe

description	pid	process	target process
PID 2396 wrote to memory of 3024	2396	fc163bfdeb6e36b226e816f4d.exe	linetechnical.exe
PID 2396 wrote to memory of 3024	2396	fc163bfdeb6e36b226e816f4d.exe	linetechnical.exe
PID 2396 wrote to memory of 3024	2396	fc163bfdeb6e36b226e816f4d.exe	linetechnical.exe
PID 2396 wrote to memory of 3024	2396	fc163bfdeb6e36b226e816f4d.exe	linetechnical.exe

C:\Users\Admin\AppData\Local\Temp\fc163bfdeb6e36b226e816f4d.exe
"C:\Users\Admin\AppData\Local\Temp\fc163bfdeb6e36b226e816f4d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\linetechnical.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\linetechnical.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\linetechnical.exe

Filesize
104KB

MD5
73ccd28a413ee48e604c563946da2bda

SHA1
11d1cc9b32876b83cb4beea054598d63a34fbadd

SHA256
a794c2916baf85f9500b08745d73fa3b6932b485ca347efdccd76f70895cc65e

SHA512
18cdaa741a5d8cb37763055c659c6094d2ece0fad6ca69678d478608547dfe45bb8376170d7bc8d785f47563223d6c58c0c9c291d331989cbbfcd5ecc3a8ce37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\linetechnical.exe

Filesize
104KB

MD5
73ccd28a413ee48e604c563946da2bda

SHA1
11d1cc9b32876b83cb4beea054598d63a34fbadd

SHA256
a794c2916baf85f9500b08745d73fa3b6932b485ca347efdccd76f70895cc65e

SHA512
18cdaa741a5d8cb37763055c659c6094d2ece0fad6ca69678d478608547dfe45bb8376170d7bc8d785f47563223d6c58c0c9c291d331989cbbfcd5ecc3a8ce37

Download Submit
memory/3024-62-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/3024-63-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/3024-64-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download