db553c360c8b150b8a8d6cf54a02d8130036bac3a3e7ba1780cd7081b498f2ba

Analysis

max time kernel
117s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe
Size

1.7MB
MD5

7dd26a1f30a5d11db9c13dbaa914b65c
SHA1

abb870e0d6dadf1f8bb4c301db8c8a4db15ea4aa
SHA256

96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428
SHA512

7fb8b418c0014b9fca8fec7b5f4aa01582f05981ea4d7ad5f56e916552429725f859f9090d7845cf374f36d151a7f97f0e29fa3e9eeeda7e4487a40b835358b8
SSDEEP

49152:71wRZWos0ahxr/rqs6gFW8umWWbYaJp5Jsk4YC0PYDU:7WRZWo8/rq5L8oWs4+k4YPP1

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	install.exe

Loads dropped DLL 5 IoCs

pid	Process
2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe
2156	install.exe
2156	install.exe
2156	install.exe
2156	install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28
PID 2464 wrote to memory of 2156	2464	96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe	28

C:\Users\Admin\AppData\Local\Temp\96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe
"C:\Users\Admin\AppData\Local\Temp\96a4f8d661316e6557230133b41da50aac9cd73e46cb50511a56b06c6d542428.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.1040.txt

Filesize
8KB

MD5
8bc18194e2cc2590e115e6b65e1c72ca

SHA1
b55a3684ce3899fbd89fea8ed12d2115c6962991

SHA256
85911233010a3891820ad9821908893bb1711f31dc874ee749a10ad75031edcd

SHA512
fd042dc7793c177c30a91dc116b7513982fdb2ea8a4434831396b06c09c14c56750338aaac174af5ee4fa8d8474484c0c65084682714d6d2202a139951d75ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

Filesize
4KB

MD5
e5a121e194e2425b94092f811b0b1d35

SHA1
b46d28131e244766969363e9ec8a4901081a4190

SHA256
50bd45989ac93229196fafc2e54b8e8830b41b7a0f51fb3c9eb601c6330e5f25

SHA512
9168ea7c4cc9c102ee4a9dec5d6213f22d37b1e602a8a26b512f4b75c724ecb566bdfb9df809bfa4395346277c64475b0bf60256a13c9fcc6d8a2b45e139c6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1040.dll

Filesize
82KB

MD5
dc40f8fc934de8c9266b62b003db3727

SHA1
b4c3353eced2a60d68e966f6a406d19982f58a02

SHA256
b0f5c37a95280ec66f747fb36ffc1eeb4a02b317c7db31173cfdbff8f32bee43

SHA512
551421007dbc1c66cab0310a6014d447bfefea48d8cafb92e527ed805a2996ec6b3dfb2a50422256d3dbd57548c26e1cf2092c4a62f7d6ef68fb5a0454405d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\langpack.msi

Filesize
1.9MB

MD5
636c04e88fcae33b788f6d271be7d6d7

SHA1
7e443b2b7bd58ad7f9822c08e1ee2e8400820089

SHA256
a288fb8b65e2c8004c61028554634607a14509269bbc13e9921a326a8e1978e3

SHA512
166d32397663a0b8bbc5df700d846a579f0c00243866ffdc93024f480e3397a33305117d8064bd8bf1dd0adfdac3a3b6dcf79bda3160e48ec454f1c32922a58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\netfx.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
595KB

MD5
ff977f9cde2cdb16fa62a7d4d250f8cb

SHA1
9461780db5e5317f4c1bb30d72d4bfd823bea075

SHA256
d446c9471ece9af75f91c984fc09050e1d0fd4f76c00fde087a63da717ef18d7

SHA512
9fa9681d5bdc201dc6e86c66cd5f23896b842f300c4f48e66850903496e19b43268597c1090fb477fb795bc999c6816d70ab3f100b43b4a049026ddf7ddb7cdf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1040.dll

Filesize
82KB

MD5
dc40f8fc934de8c9266b62b003db3727

SHA1
b4c3353eced2a60d68e966f6a406d19982f58a02

SHA256
b0f5c37a95280ec66f747fb36ffc1eeb4a02b317c7db31173cfdbff8f32bee43

SHA512
551421007dbc1c66cab0310a6014d447bfefea48d8cafb92e527ed805a2996ec6b3dfb2a50422256d3dbd57548c26e1cf2092c4a62f7d6ef68fb5a0454405d91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads