5593eeac10527b135b7ecbbbedf6c2d9e5c8a36c9ff078b077ae0e3087f7b45e

Analysis

max time kernel
1s
max time network
3s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-08-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KillShutup.exe
Size

154KB
MD5

aca60475fb5d1a070301d45786c999fe
SHA1

6b5c65c4d1ca940bbba1e31d98771b50647dbcb3
SHA256

5593eeac10527b135b7ecbbbedf6c2d9e5c8a36c9ff078b077ae0e3087f7b45e
SHA512

4859b3d7487cd72ededea2a9470fcb832c403193f7b207a24c2c506007981c58340eb05e4a128bab869a3d90bdf27206ef3e8932784bc28e411793c4b0ca6938
SSDEEP

3072:TahKyd2n31W5GWp1icKAArDZz4N9GhbkrNEk1YT:TahO+p0yN90QEr

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	KillShutup.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2788	taskkill.exe
2564	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2404	2524	KillShutup.exe	28
PID 2524 wrote to memory of 2404	2524	KillShutup.exe	28
PID 2524 wrote to memory of 2404	2524	KillShutup.exe	28
PID 2404 wrote to memory of 2788	2404	cmd.exe	30
PID 2404 wrote to memory of 2788	2404	cmd.exe	30
PID 2404 wrote to memory of 2788	2404	cmd.exe	30
PID 2524 wrote to memory of 2824	2524	KillShutup.exe	32
PID 2524 wrote to memory of 2824	2524	KillShutup.exe	32
PID 2524 wrote to memory of 2824	2524	KillShutup.exe	32
PID 2824 wrote to memory of 2564	2824	cmd.exe	34
PID 2824 wrote to memory of 2564	2824	cmd.exe	34
PID 2824 wrote to memory of 2564	2824	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\KillShutup.exe
"C:\Users\Admin\AppData\Local\Temp\KillShutup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LAUNCH~1.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOXKIL~1.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im wscript.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOXKIL~1.CMD

Filesize
27B

MD5
deef6cba098340511727029356c2d5a0

SHA1
60dddf4bf198b0d75acd63c21905b89a80d67044

SHA256
f68e4cc3fa1d7b7a691c2f2ad46a43c5fb8a3d335751429782c2112b12f1617a

SHA512
0329e90d503ab140ce532236c4efe9aa6b85758bb4da619491db02d90b3ca9bd8b2502fddff36c3d89e78d11c510475c88640555c2176efafd0f0158a485d5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOXKIL~1.CMD

Filesize
27B

MD5
deef6cba098340511727029356c2d5a0

SHA1
60dddf4bf198b0d75acd63c21905b89a80d67044

SHA256
f68e4cc3fa1d7b7a691c2f2ad46a43c5fb8a3d335751429782c2112b12f1617a

SHA512
0329e90d503ab140ce532236c4efe9aa6b85758bb4da619491db02d90b3ca9bd8b2502fddff36c3d89e78d11c510475c88640555c2176efafd0f0158a485d5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LAUNCH~1.CMD

Filesize
23B

MD5
ee18bd31559ff88e6ca9e0bceb63fd83

SHA1
e2ac7247b524b6eb49bf3c80fe6022d7cdac8ff5

SHA256
a80820cb7208ae69c13a907eb45525a96b9b76cf470adf15e3445b1e2235ab8c

SHA512
916355380766ec1b28d61dc55c7b4d8124f25d1221048ce23f7670d86251572c34b5e05613e2d02e7ccaf98a107d5d587d57586183fb0f4e9071369fc993e981

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LAUNCH~1.CMD

Filesize
23B

MD5
ee18bd31559ff88e6ca9e0bceb63fd83

SHA1
e2ac7247b524b6eb49bf3c80fe6022d7cdac8ff5

SHA256
a80820cb7208ae69c13a907eb45525a96b9b76cf470adf15e3445b1e2235ab8c

SHA512
916355380766ec1b28d61dc55c7b4d8124f25d1221048ce23f7670d86251572c34b5e05613e2d02e7ccaf98a107d5d587d57586183fb0f4e9071369fc993e981

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads