47a34f921b3d0fd91f24fc47be143acd0bc5cebcf59102f72cc8cfd95f6fe72d

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe
Size

514KB
MD5

fd265d88bb9641b04158db462a49f767
SHA1

e2d871ef3c661db795ea8ba87e3d1a985cbc4fe7
SHA256

82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26
SHA512

47318350af7a9956ea4dd0cc6ffb38688a18b68567a2ad09349928a44f4cb44c2193f6474a3613ba1c9535a107d1d663b5b20bdf8a3d99b4ecdfc40adb8d3930
SSDEEP

12288:1r4W0saArLbkSO0hKH+l175ivmgxJIWyEjYgPv:10BsaQkIKH+WfX/vEgPv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	ie6wzd.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe
2840	ie6wzd.exe
2840	ie6wzd.exe
2840	ie6wzd.exe
2840	ie6wzd.exe
2840	ie6wzd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Active Setup Log.txt	ie6wzd.exe
File opened for modification	C:\Windows\~VS5283.tmp	ie6wzd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28
PID 2164 wrote to memory of 2840	2164	82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe	28

C:\Users\Admin\AppData\Local\Temp\82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe
"C:\Users\Admin\AppData\Local\Temp\82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe /S:"C:\Users\Admin\AppData\Local\Temp\82de6da5a0e98e6535ec9375679c22a7faf31e200e1cacbb905a3d36736c4f26.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GLOBE.ANI

Filesize
6KB

MD5
f3525c9c46c7f01433424e8aa4d0eb7e

SHA1
b0faf41ef1e211e73a3d8bb1f26df609e68e12f9

SHA256
0c713d5db713333de26a82230c9aa4adb28e4451363a8a37cbfcbb4c6aee84b5

SHA512
8df3ff17273fb60e6ce71128eab0cf1fcba69421f3622b443e210d43f6005e5b51523c68e81ac384f8c3202a6d023a592ec51d4238c8c1d0fb371ba335aa4522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IESetup.inf

Filesize
11KB

MD5
8d24d94771db6c79dad4794ff48441b9

SHA1
41b136044d33d32e7df7aabddb911ad853a2493a

SHA256
bcd0f3612ab9937e106302d546f1b1cb46b1791afe316409d97a62a612e5082f

SHA512
b30d11952ee50dc35999060023e1e234532a3ea7f0fe8388ed1201d16f8e44d4a47adb36e7c7807ed221a341553bbb3404033bcfc72a11dd70ce8482c54a8f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\actsetup.bmp

Filesize
51KB

MD5
945c52c71411ec90c5d9765a5ee19e76

SHA1
7cb4a7d4d7fd7841eb00bd400fdf176a973853fe

SHA256
ecb900ff316961e447530137ab456c7e339154866f7b991b67b67cc0719f2716

SHA512
292f2659817b0941bbe07505f2b8ea63875ca4eebf9e73aaea6a6850f6e00748cc25e717873b360bb40e5fa55eb2abb383a4185716ea42e0b221cd94f60c67a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
89KB

MD5
5dc1a577f1add0b93f8c59b5a0230b64

SHA1
5fcb5c9911479835eb3093bbde50af2ce5cd73e5

SHA256
0f3fd4b9d86d7ef13543eaf87ffb0a1f43a68aa029b2a7fdb72d7fa24cf814f8

SHA512
22c75f57ac33ed068062728581852c60c1cbcbf5a10b2fea32b15ce44859f1a62052c441799ac0676256549da9422215c90f20648131b01ba6be099f38a8229a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\topsetup.bmp

Filesize
28KB

MD5
88e3da864005b55d57d758a603ddf243

SHA1
fb5a5afc72a2aea732150e948ba672e66ed7e97f

SHA256
f7a937f712fcf862d52f3e76237d0bcf130f0a99c4f752ff98dccb786261f315

SHA512
09ef388d3167fea7d70962081c0f64fc097c3b49df09b77cf5da19301e73c1585446aa6f5ed390a196e758932fac1ef5b73e5cecb470f0614e902735c075d301

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
89KB

MD5
5dc1a577f1add0b93f8c59b5a0230b64

SHA1
5fcb5c9911479835eb3093bbde50af2ce5cd73e5

SHA256
0f3fd4b9d86d7ef13543eaf87ffb0a1f43a68aa029b2a7fdb72d7fa24cf814f8

SHA512
22c75f57ac33ed068062728581852c60c1cbcbf5a10b2fea32b15ce44859f1a62052c441799ac0676256549da9422215c90f20648131b01ba6be099f38a8229a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
89KB

MD5
5dc1a577f1add0b93f8c59b5a0230b64

SHA1
5fcb5c9911479835eb3093bbde50af2ce5cd73e5

SHA256
0f3fd4b9d86d7ef13543eaf87ffb0a1f43a68aa029b2a7fdb72d7fa24cf814f8

SHA512
22c75f57ac33ed068062728581852c60c1cbcbf5a10b2fea32b15ce44859f1a62052c441799ac0676256549da9422215c90f20648131b01ba6be099f38a8229a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
190KB

MD5
1ca5689c669a2294ab05072cc7004163

SHA1
23769babbe023b62fcdc598e0141b0010e819d10

SHA256
3c72b846d44530f93b2b9e70e90dc49c8bde188d3e164a31fe97a776e724c303

SHA512
be94b8c891046c45ef78689b8422339e0f6c843a152d0f3695a8e1e4fd1201d388af61a56fa13bda842ae384927d21adac1ac063ba7225f7b1ff23901baeb499

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads