9da8fc6dd4e0b6cfdaddb3a49cd0787d9ecd87e94bf84c530ba9b0295515ea2b

Resubmissions

28/08/2023, 01:37

230828-b1vjksge2s 7

28/08/2023, 01:33

230828-byvfssgd7x 7

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data64_1.exe
Size

214KB
MD5

5fa19dfd3b125b6e048f0792e7862c10
SHA1

7e203943f8cea22dc4b2fe84d56a64b2d0df3050
SHA256

9da8fc6dd4e0b6cfdaddb3a49cd0787d9ecd87e94bf84c530ba9b0295515ea2b
SHA512

dc6fd8ed080e40838eaf070b3edb85cedd2c1a8a5401418a10142a1c3cfcbd20f2e6fbbafca9a0e75ccf9088118e8dfe9955e4c17c28ddb18a8dcdf7492bd942
SSDEEP

3072:DahKyd2n31M5wzl3BYb7btbJQAetrmzexqLeFzuYxcHXfCcFRD923m24cCeI:DahOrYcAeaesLe0YxcqGRU3Z4R

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	modernperiod.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	data64_1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	modernperiod.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2988	2112	data64_1.exe	29
PID 2112 wrote to memory of 2988	2112	data64_1.exe	29
PID 2112 wrote to memory of 2988	2112	data64_1.exe	29
PID 2112 wrote to memory of 2988	2112	data64_1.exe	29

C:\Users\Admin\AppData\Local\Temp\data64_1.exe
"C:\Users\Admin\AppData\Local\Temp\data64_1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\modernperiod.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\modernperiod.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\modernperiod.exe

Filesize
251KB

MD5
4eaed62249125c561de53344b99b82ea

SHA1
5ff6fd5bb9b35ecc5a17d467dcbaea065198dc19

SHA256
d9b146d0dc26f6c215fb76b3f4941c310aa2a42729bb06feaf029e1a826e3bbc

SHA512
00f73a1f6b2e1473fbc44f3c86e1b2cdab5225682816abff19e8f02a50e8135a717e9f1aa27d198a288f2e5f808f7995f7e7450d0be3907c2f11f73aa704baed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\modernperiod.exe

Filesize
251KB

MD5
4eaed62249125c561de53344b99b82ea

SHA1
5ff6fd5bb9b35ecc5a17d467dcbaea065198dc19

SHA256
d9b146d0dc26f6c215fb76b3f4941c310aa2a42729bb06feaf029e1a826e3bbc

SHA512
00f73a1f6b2e1473fbc44f3c86e1b2cdab5225682816abff19e8f02a50e8135a717e9f1aa27d198a288f2e5f808f7995f7e7450d0be3907c2f11f73aa704baed

Download Submit
memory/2988-6-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-7-0x0000000000DB0000-0x0000000000DF4000-memory.dmp

Filesize
272KB

Download
memory/2988-8-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2988-9-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads