Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2023, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
Resource
win10v2004-20231020-en
General
-
Target
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe
-
Size
3.3MB
-
MD5
f96e3442a8699d9014a31091484b44d4
-
SHA1
6d1a74404dde4bf2cb352164df93d5a2ddf12386
-
SHA256
34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c
-
SHA512
02ad199440d259a98e9892ac43825c745a142421afde951a95c70ec435e9a6df321e4d12a6ea36f981f35eec2e4e34abc38746ea6e26109de3e32e725c82da94
-
SSDEEP
49152:/zeqaA8fG9XnjS6OnXds7aMdc1otuL8wRswq8LxS2TLJ9f8KywtrE3NYUxGC5BU7:b5gUVOXdP+c1EuzPLxNJywtgdExIUk0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2592 setup.exe -
Loads dropped DLL 4 IoCs
pid Process 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 2592 setup.exe 2592 setup.exe 2592 setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2768 MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 2768 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2768 MSIEXEC.EXE Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 2940 msiexec.exe Token: SeCreateTokenPrivilege 2768 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2768 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2768 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2768 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2768 MSIEXEC.EXE Token: SeTcbPrivilege 2768 MSIEXEC.EXE Token: SeSecurityPrivilege 2768 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2768 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2768 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2768 MSIEXEC.EXE Token: SeSystemtimePrivilege 2768 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2768 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2768 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2768 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2768 MSIEXEC.EXE Token: SeBackupPrivilege 2768 MSIEXEC.EXE Token: SeRestorePrivilege 2768 MSIEXEC.EXE Token: SeShutdownPrivilege 2768 MSIEXEC.EXE Token: SeDebugPrivilege 2768 MSIEXEC.EXE Token: SeAuditPrivilege 2768 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 2768 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 2768 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 2768 MSIEXEC.EXE Token: SeUndockPrivilege 2768 MSIEXEC.EXE Token: SeSyncAgentPrivilege 2768 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 2768 MSIEXEC.EXE Token: SeManageVolumePrivilege 2768 MSIEXEC.EXE Token: SeImpersonatePrivilege 2768 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 2768 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2768 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2608 wrote to memory of 2592 2608 34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe 29 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30 PID 2592 wrote to memory of 2768 2592 setup.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe"C:\Users\Admin\AppData\Local\Temp\34caf36645a8c7becb98e64af108eb1691a952cc2efc57a55e90530bd52a858c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msrdpcli.msi"3⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD510d0937f0034d610f5ceaec5423597dc
SHA14202c6f7aaa76c2e7e3c45e649097d38a28f2b02
SHA256ab79c60cab3866812bb67d0b0116e0af4b6a6e7b673bd7572df563d5a961d632
SHA51258505fa2896828090c068ea7328610c6e733ae0fb94c1f79631c1afcdf5c7f52131d98a3c4b62ee087ea5d9c6a9977afb756e179cb9abe02d61a9a81dec37f24
-
Filesize
751KB
MD513fb585d7981d700fba8fb61c3584a72
SHA1b6136fbe483351a887e5fff0671ff184fa4543ee
SHA256792d59d9a0706193b291b4bab0e2ac9da12603062f67568228d381622367710b
SHA512269a7a3917fbf55e090311e4422ad8735358e1516adb5622ad1793e9bbc68679cd09945037cf09be8410f140d6c833e392e29c44817e17420d0dff3222a06acd
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0
-
Filesize
84KB
MD5b8edf8d30608ec72839a0289d67cc919
SHA101f8d8fa1f6ca7b1e452b5410e1c1596c914076f
SHA256de13730ef8f6614d99387ef8a3fd81d5f6127c9ea8bfa776783abe9f4eff2281
SHA512f68329fa65dd74249c8d157511f94db769a55a7db8045e89bb4ed9e7f2b3e662e0bd5de0beb392d744d3b468783ac342ddfdbe14839bf8a2ca5b0b2c5ec5b6e0