1b7964aac14d2386bc4c1531df19fbdfec29cafdf74990e7637c1117fd9a5c08

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
Size

5.8MB
MD5

db137f939459ee378572623942debafa
SHA1

7703e6e0f1df016b954dca503573a22a4c1766d9
SHA256

3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0
SHA512

e9503c2986e2785e4281c9418bf178512d3ff6b875a7d5d07047e806856b3dd51254fc920fdb9fefcf03633dd2ca5168867140be1a8fc9d0676b300a2e3bde96
SSDEEP

98304:13+KGn20wQh/pCZb/ijmG/Owk2X1w/T6FpgvztWuxC4ghVI11BTLnmzE2TwWbCpK:1AJhwZLiowDX1w/Oim4zpjmzE2TwWbCn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2552	install.exe
1260	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
2552	install.exe
2552	install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2552	2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2260 wrote to memory of 2552	2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2260 wrote to memory of 2552	2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2260 wrote to memory of 2552	2260	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28

C:\Users\Admin\AppData\Local\Temp\3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
"C:\Users\Admin\AppData\Local\Temp\3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.1033.txt

Filesize
15KB

MD5
e40610019032bc9ee795956bed63c9c0

SHA1
d18df45d83864ed2e5a7023512711f3df4481945

SHA256
c88310fb8c4e9a645ecc0d00b72a96a1dba7baf2294b60b37589b8dd17dbeff5

SHA512
f89fb361b050e6efb913311c63552931f2066603bb5de30ee96732a6eabda608443a56f39255438b22d7d08fbd8f859b50f9ccad66e1bee195ef88e2a44be245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\globdata.ini

Filesize
1KB

MD5
475349ae604e7888fda95cd0ea51709c

SHA1
1f1f7d53d4e24c93ad90f3514f2c984117ff48d8

SHA256
0c66607b073c8da4654fd1849799c6ac7a85a5c5d76c797bf3264bb3cae1d9ab

SHA512
cb13052ee305fa2b240806885ee32a428325c4987d69af97ff2e7907636b825fe7bfbec05ee7bc441bf6e92e18e09525c75836c25a592795da0bb73920e707ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
8bac0e06c046c4a34c1f91699cf7554f

SHA1
a0a47942bbc1056c5b8d99cd8c8b923e0e4d6a90

SHA256
a29426ceb90c8098d67c5d6850723b8acf9bb6b1c2c3aeac73626b380d213e5e

SHA512
5aebaecf8f6fbdc95c09f4c54d3fbd44e7a92de8ca71eea58cd3fbcb5d15986d7901540174eab668f4fe19254cca01eb7f0103408579f1267413ca7fca218c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
8bac0e06c046c4a34c1f91699cf7554f

SHA1
a0a47942bbc1056c5b8d99cd8c8b923e0e4d6a90

SHA256
a29426ceb90c8098d67c5d6850723b8acf9bb6b1c2c3aeac73626b380d213e5e

SHA512
5aebaecf8f6fbdc95c09f4c54d3fbd44e7a92de8ca71eea58cd3fbcb5d15986d7901540174eab668f4fe19254cca01eb7f0103408579f1267413ca7fca218c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

Filesize
4KB

MD5
4598a5fefcd1b97c94e68be5b2b6251c

SHA1
67a329b341a601a0ae22484fbdfd799ceeac1406

SHA256
9ea95fff47608b0bfc2382fd0e42e2afc70c2c578adb7bb5eb3386d212cfe656

SHA512
e287e696a28fdc33ea8ef97892910429954a091ecb515d8c39260df6506322e83441ce3cc1d4d6af2e8721b8ba95ec09dcd4893ff78e8fc0e5dc2acc4d1581f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
84KB

MD5
23042a633e3da1ffe6f0a79b4e450ee9

SHA1
abdb41049269a33313edecba9974a9b14603de68

SHA256
cb41774c0bc6cffe9aca2674a5fac7dca552f3c7fe048cd6eee5f72c31dd5474

SHA512
333285563a243fbe8b0dfade828f5c2db173297f2a1e15098e6625adfa9df9b2e1956479d19e9e37a8e28622ae183ee6ee318b9bdc8d1a09f89730661471a256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jsredist.msi

Filesize
6.2MB

MD5
56d71b76f211a970f9e25a5698b65c4d

SHA1
3f7aa1012472249f338c9e468c95860657e0e1eb

SHA256
655f8db48416ae39b29cf7a6f06bb1e5140751e8b19f86ec158e94b30f33c278

SHA512
4a70d425e8cd3dcf67241699549f6c9ed9615bddc265c32b3137f23f119bf40635319256999f9004884aa4eb675a03bf13940fffe6453e15fb395fdb4c364e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjscustom.1033.dll

Filesize
46KB

MD5
b55e741c8a88aa58f2c860359c39a3b4

SHA1
1c2b8a0671fe5bfd6d367c3cbf57e2483c32b309

SHA256
a5a900e91229bc15af0ec56bd6a24c50308d8b5b16851727d013a179628acd85

SHA512
264536374b55e6e46f38588b9bfa17e7abab85e6cd59338234f717cf2448c564b180909e801175761d26c5142aa9b9bd7b08b293004e6d9904a68951fd7ee79d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
8bac0e06c046c4a34c1f91699cf7554f

SHA1
a0a47942bbc1056c5b8d99cd8c8b923e0e4d6a90

SHA256
a29426ceb90c8098d67c5d6850723b8acf9bb6b1c2c3aeac73626b380d213e5e

SHA512
5aebaecf8f6fbdc95c09f4c54d3fbd44e7a92de8ca71eea58cd3fbcb5d15986d7901540174eab668f4fe19254cca01eb7f0103408579f1267413ca7fca218c58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
8bac0e06c046c4a34c1f91699cf7554f

SHA1
a0a47942bbc1056c5b8d99cd8c8b923e0e4d6a90

SHA256
a29426ceb90c8098d67c5d6850723b8acf9bb6b1c2c3aeac73626b380d213e5e

SHA512
5aebaecf8f6fbdc95c09f4c54d3fbd44e7a92de8ca71eea58cd3fbcb5d15986d7901540174eab668f4fe19254cca01eb7f0103408579f1267413ca7fca218c58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
1.3MB

MD5
8bac0e06c046c4a34c1f91699cf7554f

SHA1
a0a47942bbc1056c5b8d99cd8c8b923e0e4d6a90

SHA256
a29426ceb90c8098d67c5d6850723b8acf9bb6b1c2c3aeac73626b380d213e5e

SHA512
5aebaecf8f6fbdc95c09f4c54d3fbd44e7a92de8ca71eea58cd3fbcb5d15986d7901540174eab668f4fe19254cca01eb7f0103408579f1267413ca7fca218c58

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
84KB

MD5
23042a633e3da1ffe6f0a79b4e450ee9

SHA1
abdb41049269a33313edecba9974a9b14603de68

SHA256
cb41774c0bc6cffe9aca2674a5fac7dca552f3c7fe048cd6eee5f72c31dd5474

SHA512
333285563a243fbe8b0dfade828f5c2db173297f2a1e15098e6625adfa9df9b2e1956479d19e9e37a8e28622ae183ee6ee318b9bdc8d1a09f89730661471a256

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjscustom.1033.dll

Filesize
46KB

MD5
b55e741c8a88aa58f2c860359c39a3b4

SHA1
1c2b8a0671fe5bfd6d367c3cbf57e2483c32b309

SHA256
a5a900e91229bc15af0ec56bd6a24c50308d8b5b16851727d013a179628acd85

SHA512
264536374b55e6e46f38588b9bfa17e7abab85e6cd59338234f717cf2448c564b180909e801175761d26c5142aa9b9bd7b08b293004e6d9904a68951fd7ee79d

Download Submit
memory/2552-89-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2552-96-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads