e95901a136320d166ef0e350820c3a27b18d28e0c1c95f4c2eab554f22c14863

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

345KB
MD5

8d16dd9f3f8ede2dc95ada1fa50d34c9
SHA1

c7b39341e655cfaaf8144ad31a27d72cf0d5c2a5
SHA256

e95901a136320d166ef0e350820c3a27b18d28e0c1c95f4c2eab554f22c14863
SHA512

655941f117ef4e0a117a4b0ed434a3b6e8faea4cd8ed1b86f137d8ca0268961bad072b916a84a9bde5382cd955e61a066f3d95c10d4802416c1ff54be58b3407
SSDEEP

6144:UahOvBmbKsPQiFIpr83tdV4jjRY/acuY6BnkY0CzeEaZw3v5x/U0xlZqc:Ui6UWsPQiFIedQj+/F16BnkY0CaEV/ZH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	describeeffectively.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	describeeffectively.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2236	2820	tmp.exe	28
PID 2820 wrote to memory of 2236	2820	tmp.exe	28
PID 2820 wrote to memory of 2236	2820	tmp.exe	28
PID 2820 wrote to memory of 2236	2820	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe

Filesize
392KB

MD5
f933941a5acbe1ea6cfa4e9b892a64e4

SHA1
a691f1997c139dda87c4d268314eb2abfd82a985

SHA256
d0bb9fdfd03e73716ea006bcf3f0164a454e36023c9046487294c1f20857f5c5

SHA512
dc3d6a60786ed2ea782c52facd86999f6b547b1e744a1b75ece4ddfa18405761aeb97bafaf8eb0fcd89ea2af3f10cd327b1d9842c2fd2ca91315da9eb1f20729

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe

Filesize
392KB

MD5
f933941a5acbe1ea6cfa4e9b892a64e4

SHA1
a691f1997c139dda87c4d268314eb2abfd82a985

SHA256
d0bb9fdfd03e73716ea006bcf3f0164a454e36023c9046487294c1f20857f5c5

SHA512
dc3d6a60786ed2ea782c52facd86999f6b547b1e744a1b75ece4ddfa18405761aeb97bafaf8eb0fcd89ea2af3f10cd327b1d9842c2fd2ca91315da9eb1f20729

Download Submit
memory/2236-8-0x0000000000380000-0x00000000003E8000-memory.dmp

Filesize
416KB

Download
memory/2236-9-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-10-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download
memory/2236-11-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-12-0x00000000020C0000-0x0000000002100000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads