5cf901bd931efbdb845d209aad3c1b996ae4174dd73cca3a56cf861ebc4d81fc

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe
Size

499KB
MD5

db63f3cf10f5caf606532113e741833a
SHA1

4d113730f400ed87eac2b71739fd684b022c4bba
SHA256

9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555
SHA512

e5d629e441663639eedea21e180f553cdf51875ac9cfc7e385e1c21d8c37f2e465bbb9e9ad8c4bb18442f15bebac829fa08f2f27df2cf06f975fc8937d4e1114
SSDEEP

12288:RlxmMC5AjHIbZ1aodJBkxa2WGLOPhkcVBo0BAFUf:3x+m2ZB5lEyXBVf

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4724	ie6wzd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Active Setup Log.txt	ie6wzd.exe
File opened for modification	C:\Windows\~VS8136.tmp	ie6wzd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4724	1712	9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe	87
PID 1712 wrote to memory of 4724	1712	9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe	87
PID 1712 wrote to memory of 4724	1712	9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe	87

C:\Users\Admin\AppData\Local\Temp\9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe
"C:\Users\Admin\AppData\Local\Temp\9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe /S:"C:\Users\Admin\AppData\Local\Temp\9ac6c096990a06b623927798b377347a186dd5f043d0560981405c7220481555.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GLOBE.ANI

Filesize
6KB

MD5
f3525c9c46c7f01433424e8aa4d0eb7e

SHA1
b0faf41ef1e211e73a3d8bb1f26df609e68e12f9

SHA256
0c713d5db713333de26a82230c9aa4adb28e4451363a8a37cbfcbb4c6aee84b5

SHA512
8df3ff17273fb60e6ce71128eab0cf1fcba69421f3622b443e210d43f6005e5b51523c68e81ac384f8c3202a6d023a592ec51d4238c8c1d0fb371ba335aa4522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IESetup.inf

Filesize
10KB

MD5
ddd7a49972f3062b8fe4c98728a2e421

SHA1
fc136d38efb9cc340addacf5503b5be789873834

SHA256
7a21e3f5d6495213a3842398ad4a11b5a8e0e822569219879786fa8df5e14fbd

SHA512
45c6be548c77511c81bbe847120916758ce57333c3a055f29bb63c25fe65c6f47bd05fc8a2843c688299fa153e6d44d23f967fc3ed3adab979f15dd1f54642a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
90KB

MD5
b1d6819bd72142a02593b2024c38fc43

SHA1
12c894d9eb97f9af226961665e69c567568eb7ff

SHA256
9bb36b4ca686511a47ae2ddaf497722dcd1a8b250c6c92d324057694ad1f2526

SHA512
8b8e7c6d863647cc3fda186256255bc3c1ec0eea4105744eeb30f42e3b4f86659783f7aff08e5dcd719926024158d4f8aba141e287d935d82dfbb5c33a354653

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
193KB

MD5
b7030469029cc84312bff1fe54116ec3

SHA1
68a0b87137a136a25c30a7cfc9baa93ca1b1be23

SHA256
d23f48a122013f11a2a3c2ecb6f08dc60880f92fe0cf2bcd44f6cad4016b18a3

SHA512
7afa21dea4004012146dd58c77f74f24b462c56c614dc3cd02e54840dfcacddb0b8038819ed3d62223a23dcdb635c944962b5ab00599280c9b6ace109b2772c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
193KB

MD5
b7030469029cc84312bff1fe54116ec3

SHA1
68a0b87137a136a25c30a7cfc9baa93ca1b1be23

SHA256
d23f48a122013f11a2a3c2ecb6f08dc60880f92fe0cf2bcd44f6cad4016b18a3

SHA512
7afa21dea4004012146dd58c77f74f24b462c56c614dc3cd02e54840dfcacddb0b8038819ed3d62223a23dcdb635c944962b5ab00599280c9b6ace109b2772c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads