9d08d0d3dc0d7b666b6eae20b9a9596cb30acdc30aee9da72224a40afb018dac

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe
Size

1.2MB
MD5

bcacf1f6255cf96387fb4f7a42ae8efd
SHA1

e85b0f4ef66bb35624732a33f602fd7596042013
SHA256

79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8
SHA512

ff5f3b3b6218ce345c04b87a112e9c9befb6abd11aa97626e93af3f504ff24116a39a7c1958e64f85f0e7e9980cdcd0595c12be5a5edfd7d89354aad53321912
SSDEEP

24576:IyI6SglsnHQqmircutecl/lq4J00eQaursEj749P/Ss+jMeLRN:POhE8VecltY0Laur3kt/sjMeL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2596	ea3YE98.exe
2760	SK6pr23.exe
1944	VX3XR98.exe
2412	1Zh52Og2.exe

Loads dropped DLL 8 IoCs

pid	Process
2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe
2596	ea3YE98.exe
2596	ea3YE98.exe
2760	SK6pr23.exe
2760	SK6pr23.exe
1944	VX3XR98.exe
1944	VX3XR98.exe
2412	1Zh52Og2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ea3YE98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SK6pr23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VX3XR98.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2588 wrote to memory of 2596	2588	79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe	30
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2596 wrote to memory of 2760	2596	ea3YE98.exe	31
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 2760 wrote to memory of 1944	2760	SK6pr23.exe	32
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33
PID 1944 wrote to memory of 2412	1944	VX3XR98.exe	33

C:\Users\Admin\AppData\Local\Temp\79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe
"C:\Users\Admin\AppData\Local\Temp\79752a20311c9cd5e8729879cc908cb271828c3754554d8dd04aaf0cbdd662a8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe

Filesize
1.0MB

MD5
37f89373ffed111131bd08ee4e010379

SHA1
b8f944de1eb7b18937a0adb5a03fc4a743c5ec38

SHA256
95b6daced3c38307f383eaff2d2f8b5c586268a37d798f1d75b90fe13120e03a

SHA512
a889c85726a886ba332e807bd40ff3bdcaf0e5f8ff9579f41e65e8324a9e7521eb77b5ddcc52d80b919812d2960d889b09c18befb513a5a710ed10ce717a41b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe

Filesize
1.0MB

MD5
37f89373ffed111131bd08ee4e010379

SHA1
b8f944de1eb7b18937a0adb5a03fc4a743c5ec38

SHA256
95b6daced3c38307f383eaff2d2f8b5c586268a37d798f1d75b90fe13120e03a

SHA512
a889c85726a886ba332e807bd40ff3bdcaf0e5f8ff9579f41e65e8324a9e7521eb77b5ddcc52d80b919812d2960d889b09c18befb513a5a710ed10ce717a41b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe

Filesize
746KB

MD5
9ccf10b23cf7189b344db6164a2fad80

SHA1
ea2fb03c3380e0d21b9f8f7f2326080990ee8550

SHA256
a5734536264dcf98966ea87a7d435156247e0c7a99cea315e4bc0ad80ca41a14

SHA512
7707928cae49c7c519503acc7c734380ecf803848a26c35bd653709de2fab888c33cdfe2753490d61352df5d71eb106f5a54de16bb6feafa67c606b50b5830f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe

Filesize
746KB

MD5
9ccf10b23cf7189b344db6164a2fad80

SHA1
ea2fb03c3380e0d21b9f8f7f2326080990ee8550

SHA256
a5734536264dcf98966ea87a7d435156247e0c7a99cea315e4bc0ad80ca41a14

SHA512
7707928cae49c7c519503acc7c734380ecf803848a26c35bd653709de2fab888c33cdfe2753490d61352df5d71eb106f5a54de16bb6feafa67c606b50b5830f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe

Filesize
494KB

MD5
acf19ba87dee843a93b883c18222218b

SHA1
4d6b6a1872451f4f523d4a664df4dfedcb58298b

SHA256
8753a360e8b9df20f690ca2a72fba05cd4b1880c810f00026cb35c6d41c98262

SHA512
a05bf9355c5ad984db62f6e0a77f4f29279d5316296d9f5295a1c3c2119aa1a6dee8366546d5cab2f1ff9e058524a1bbf2ad74b0903164cada098ea9b312ed38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe

Filesize
494KB

MD5
acf19ba87dee843a93b883c18222218b

SHA1
4d6b6a1872451f4f523d4a664df4dfedcb58298b

SHA256
8753a360e8b9df20f690ca2a72fba05cd4b1880c810f00026cb35c6d41c98262

SHA512
a05bf9355c5ad984db62f6e0a77f4f29279d5316296d9f5295a1c3c2119aa1a6dee8366546d5cab2f1ff9e058524a1bbf2ad74b0903164cada098ea9b312ed38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe

Filesize
1.0MB

MD5
37f89373ffed111131bd08ee4e010379

SHA1
b8f944de1eb7b18937a0adb5a03fc4a743c5ec38

SHA256
95b6daced3c38307f383eaff2d2f8b5c586268a37d798f1d75b90fe13120e03a

SHA512
a889c85726a886ba332e807bd40ff3bdcaf0e5f8ff9579f41e65e8324a9e7521eb77b5ddcc52d80b919812d2960d889b09c18befb513a5a710ed10ce717a41b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ea3YE98.exe

Filesize
1.0MB

MD5
37f89373ffed111131bd08ee4e010379

SHA1
b8f944de1eb7b18937a0adb5a03fc4a743c5ec38

SHA256
95b6daced3c38307f383eaff2d2f8b5c586268a37d798f1d75b90fe13120e03a

SHA512
a889c85726a886ba332e807bd40ff3bdcaf0e5f8ff9579f41e65e8324a9e7521eb77b5ddcc52d80b919812d2960d889b09c18befb513a5a710ed10ce717a41b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe

Filesize
746KB

MD5
9ccf10b23cf7189b344db6164a2fad80

SHA1
ea2fb03c3380e0d21b9f8f7f2326080990ee8550

SHA256
a5734536264dcf98966ea87a7d435156247e0c7a99cea315e4bc0ad80ca41a14

SHA512
7707928cae49c7c519503acc7c734380ecf803848a26c35bd653709de2fab888c33cdfe2753490d61352df5d71eb106f5a54de16bb6feafa67c606b50b5830f5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\SK6pr23.exe

Filesize
746KB

MD5
9ccf10b23cf7189b344db6164a2fad80

SHA1
ea2fb03c3380e0d21b9f8f7f2326080990ee8550

SHA256
a5734536264dcf98966ea87a7d435156247e0c7a99cea315e4bc0ad80ca41a14

SHA512
7707928cae49c7c519503acc7c734380ecf803848a26c35bd653709de2fab888c33cdfe2753490d61352df5d71eb106f5a54de16bb6feafa67c606b50b5830f5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe

Filesize
494KB

MD5
acf19ba87dee843a93b883c18222218b

SHA1
4d6b6a1872451f4f523d4a664df4dfedcb58298b

SHA256
8753a360e8b9df20f690ca2a72fba05cd4b1880c810f00026cb35c6d41c98262

SHA512
a05bf9355c5ad984db62f6e0a77f4f29279d5316296d9f5295a1c3c2119aa1a6dee8366546d5cab2f1ff9e058524a1bbf2ad74b0903164cada098ea9b312ed38

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\VX3XR98.exe

Filesize
494KB

MD5
acf19ba87dee843a93b883c18222218b

SHA1
4d6b6a1872451f4f523d4a664df4dfedcb58298b

SHA256
8753a360e8b9df20f690ca2a72fba05cd4b1880c810f00026cb35c6d41c98262

SHA512
a05bf9355c5ad984db62f6e0a77f4f29279d5316296d9f5295a1c3c2119aa1a6dee8366546d5cab2f1ff9e058524a1bbf2ad74b0903164cada098ea9b312ed38

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Zh52Og2.exe

Filesize
194KB

MD5
6241b03d68a610324ecda52f0f84e287

SHA1
da80280b6e3925e455925efd6c6e59a6118269c4

SHA256
ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2

SHA512
a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9

Download Submit
memory/2412-40-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/2412-41-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads