1879e3de43de8a859b70dd612dc479305f4cc66d60dba5919039a5a637c67ba5

Analysis

max time kernel
594s
max time network
595s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/08/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13072023BUILD.exe
Size

6.7MB
MD5

627fff336390bbbd2908f3bfe195ac31
SHA1

5717e9ddfa7155057bf45f4112f74559cbe16cce
SHA256

1879e3de43de8a859b70dd612dc479305f4cc66d60dba5919039a5a637c67ba5
SHA512

6722e9950d777a44d33058df50331528c350e59a476d73b4e5c20907fa11e512af863d0ac42b2638f28a2ff510e092958ad5824612e9bf6286427b8e4ea6236b
SSDEEP

196608:uQ83VHGpPg/zfVsMHLP2/I5nHDyQxY3nAl7QIl1Ce:MZQCxrPtnHDyMYXAtT

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USBSafeManager\Parameters\ServiceDLL = "C:\\ProgramData\\RUTs\\Logs\\msimg32.dll"	wuapihost.exe

Executes dropped EXE 3 IoCs

pid	Process
5076	7za.exe
2576	Silverlight.Configuration.exe
3100	wuapihost.exe

Loads dropped DLL 5 IoCs

pid	Process
2576	Silverlight.Configuration.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
4224	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	13072023BUILD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Silverlight.Configuration.exe = "\"C:\\ProgramData\\RUTs\\Logs\\Silverlight.Configuration.exe\""	wuapihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	5076	7za.exe
Token: 35	5076	7za.exe
Token: SeSecurityPrivilege	5076	7za.exe
Token: SeSecurityPrivilege	5076	7za.exe
Token: SeTakeOwnershipPrivilege	3100	wuapihost.exe
Token: SeTcbPrivilege	3100	wuapihost.exe
Token: SeTcbPrivilege	3100	wuapihost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe
3100	wuapihost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 5076	3968	13072023BUILD.exe	70
PID 3968 wrote to memory of 5076	3968	13072023BUILD.exe	70
PID 3968 wrote to memory of 5076	3968	13072023BUILD.exe	70
PID 3968 wrote to memory of 2576	3968	13072023BUILD.exe	72
PID 3968 wrote to memory of 2576	3968	13072023BUILD.exe	72
PID 3968 wrote to memory of 2576	3968	13072023BUILD.exe	72
PID 2576 wrote to memory of 3100	2576	Silverlight.Configuration.exe	73
PID 2576 wrote to memory of 3100	2576	Silverlight.Configuration.exe	73
PID 2576 wrote to memory of 3100	2576	Silverlight.Configuration.exe	73

C:\Users\Admin\AppData\Local\Temp\13072023BUILD.exe
"C:\Users\Admin\AppData\Local\Temp\13072023BUILD.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe e wextract.7z -oC:\ProgramData\RUTs\Logs
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\ProgramData\RUTs\Logs\Silverlight.Configuration.exe
  C:\ProgramData\RUTs\Logs\Silverlight.Configuration.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\ProgramData\RUTs\Logs\wuapihost.exe
    "C:\ProgramData\RUTs\Logs\wuapihost.exe"
    3⤵
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3100

\??\c:\windows\syswow64\svchost.exe
c:\windows\syswow64\svchost.exe -k "usbsafemanagergrp" -svcr "wuapihost.exe" -s USBSafeManager
1⤵
- Loads dropped DLL
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RUTs\Logs\MSIMG32.dll

Filesize
416KB

MD5
8a492d07d4a2d4df88acc20abe79225b

SHA1
515dc908b634cbba594d62b1a9e92e3549ba8b5a

SHA256
4bb2b10e067f6c56609c90477792c97b328e05e58076aef0f211f3aff8c4cc69

SHA512
a0d3822963738a9ce74cbe4955d2efc8ba8de1b25dd9a25a8aba1c12c4600a8c3dc1ef64f7bf8de21cb2beb826a8ae46dfc7cbdc02829c2bc3fa0b9d5117a937

Download Submit
C:\ProgramData\RUTs\Logs\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\RUTs\Logs\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\RUTs\Logs\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\ProgramData\RUTs\Logs\settings.dat

Filesize
5KB

MD5
0e7ba2cb293b0068f7016063f1724d50

SHA1
0a1fbad5c284cde95559e2ceb1a59579336337ff

SHA256
d36aa23d6d4d64937fb02f67da38a03f51221ed68917e7148ff005ba8bc4454d

SHA512
eb1a7309846c0cd614bb0de519248a2c17a3cbc6f06f8f45df4b1d04786687e1923c0ff2cdf08e7cf74a1071687160445ee6e76be8364b4a27befccab7e4fe5e

Download Submit
C:\ProgramData\RUTs\Logs\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\ProgramData\RUTs\Logs\wuapihost.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\ProgramData\RUTs\Logs\wuapihost.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe

Filesize
796KB

MD5
90aac6489f6b226bf7dc1adabfdb1259

SHA1
c90c47b717b776922cdd09758d2b4212d9ae4911

SHA256
ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549

SHA512
befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7za.exe

Filesize
796KB

MD5
90aac6489f6b226bf7dc1adabfdb1259

SHA1
c90c47b717b776922cdd09758d2b4212d9ae4911

SHA256
ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549

SHA512
befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wextract.7z

Filesize
6.3MB

MD5
0184de2d78e13c97b55a2eb90c8b12a6

SHA1
5d546c7546fd20d2bec5a5743cc180b16407accb

SHA256
a1ec426c13a87ad61c9b1286cbfd20732c3b942e81c42d840bb9d478f6ef9f07

SHA512
6737d8de78b6a4cca7948ecc40404504fb80ae996d4b7fd045c33aca46f2f8c26fda1bfd1c33617a82e01466381f0956b22466a1ded8272313b757e3c485d3aa

Download Submit
\ProgramData\RUTs\Logs\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
\ProgramData\RUTs\Logs\msimg32.dll

Filesize
416KB

MD5
8a492d07d4a2d4df88acc20abe79225b

SHA1
515dc908b634cbba594d62b1a9e92e3549ba8b5a

SHA256
4bb2b10e067f6c56609c90477792c97b328e05e58076aef0f211f3aff8c4cc69

SHA512
a0d3822963738a9ce74cbe4955d2efc8ba8de1b25dd9a25a8aba1c12c4600a8c3dc1ef64f7bf8de21cb2beb826a8ae46dfc7cbdc02829c2bc3fa0b9d5117a937

Download Submit
\ProgramData\RUTs\Logs\msimg32.dll

Filesize
416KB

MD5
8a492d07d4a2d4df88acc20abe79225b

SHA1
515dc908b634cbba594d62b1a9e92e3549ba8b5a

SHA256
4bb2b10e067f6c56609c90477792c97b328e05e58076aef0f211f3aff8c4cc69

SHA512
a0d3822963738a9ce74cbe4955d2efc8ba8de1b25dd9a25a8aba1c12c4600a8c3dc1ef64f7bf8de21cb2beb826a8ae46dfc7cbdc02829c2bc3fa0b9d5117a937

Download Submit
\ProgramData\RUTs\Logs\msimg32.dll

Filesize
416KB

MD5
8a492d07d4a2d4df88acc20abe79225b

SHA1
515dc908b634cbba594d62b1a9e92e3549ba8b5a

SHA256
4bb2b10e067f6c56609c90477792c97b328e05e58076aef0f211f3aff8c4cc69

SHA512
a0d3822963738a9ce74cbe4955d2efc8ba8de1b25dd9a25a8aba1c12c4600a8c3dc1ef64f7bf8de21cb2beb826a8ae46dfc7cbdc02829c2bc3fa0b9d5117a937

Download Submit
\ProgramData\RUTs\Logs\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
memory/3100-181-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-190-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-161-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-162-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-163-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-164-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-167-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-168-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-169-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-170-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-171-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-172-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-173-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-174-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-175-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-176-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-177-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-178-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-179-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-180-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-159-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-182-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-183-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-184-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-185-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-186-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-187-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-188-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-189-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-160-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-191-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-192-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-193-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-194-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-195-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-196-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-197-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-198-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-199-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-200-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-201-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-202-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-203-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-204-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-205-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-206-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-207-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-208-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-209-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-210-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-211-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-212-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-213-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-214-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-215-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-216-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-217-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-218-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/3100-219-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download