7d5455411512b3e4fa266722bc5bfd18d73b84edf984543f12b40bfc274a70c7

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-09-2023 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wininstal.exe
Size

607KB
MD5

dd81fe6d37b5200c80eccb98bc8b91d9
SHA1

55371613874ea2109b6fc42f929e15f8544cb532
SHA256

7d5455411512b3e4fa266722bc5bfd18d73b84edf984543f12b40bfc274a70c7
SHA512

fc2525ec43c03ab7f2c9dfed92f18ec58ef79e962bc2089da90bc565d5d8d8564d9bf4d545c26fdb271c5b88d5ba47c73225f37f49ca1ffff17d427361aefb4a
SSDEEP

12288:bisrBllxd6M2YYKZ7UcxrGJnFdz87yrqE3Wopb7z1fbJBRi1rMM17o4:bdNllr6MWKZ7Uc0JnLpqED7z1frw1MMB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	severalmaintain.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wininstal.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	severalmaintain.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2604	2228	wininstal.exe	28
PID 2228 wrote to memory of 2604	2228	wininstal.exe	28
PID 2228 wrote to memory of 2604	2228	wininstal.exe	28
PID 2228 wrote to memory of 2604	2228	wininstal.exe	28

C:\Users\Admin\AppData\Local\Temp\wininstal.exe
"C:\Users\Admin\AppData\Local\Temp\wininstal.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe

Filesize
691KB

MD5
86dd34758b6ce7454cc907357c47d697

SHA1
9abc68a284b8f8969649c77f05020c0cabc9f517

SHA256
e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

SHA512
3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\severalmaintain.exe

Filesize
691KB

MD5
86dd34758b6ce7454cc907357c47d697

SHA1
9abc68a284b8f8969649c77f05020c0cabc9f517

SHA256
e0095e1a312cb6f007e51605fde1c304a1f6f62e9f329766c75f3601d961ed45

SHA512
3494cdbd5dc3b04c46cf660e3a8b8ae9985d248d885f0b389449d3ded5c1cf4d33e1878dd95c163ddaa53e6ee809f188de0ad4f7d5bab755f1df9bf404fb2545

Download Submit
memory/2604-8-0x0000000001050000-0x0000000001104000-memory.dmp

Filesize
720KB

Download
memory/2604-9-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-10-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2604-11-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2604-12-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads