e1fc0afa1237060ad1d91c1fbf66a0d6045996ea185ff4768796a7a3aa1cb713

Analysis

max time kernel
132s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe
Size

479KB
MD5

b9b7ea3defd41af00931ffc2ba2615d8
SHA1

ad36ee057c82de6c7ae02582911f288b3c54ccca
SHA256

c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268
SHA512

d1a89fb9c40808fb411908381589e10d5629268a5173ec8f270145d27d4c610cdcb8f896cc0121f797d9a5d44a00236c22acb6a2f05f786f5a548ff33d3f068f
SSDEEP

12288:saKWJbOe9MGYmEhufFCwTmsyDrIjCnckk:fKWJylmEhuZTvy3nckk

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	ie6wzd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Active Setup Log.txt	ie6wzd.exe
File opened for modification	C:\Windows\~VSFF7E.tmp	ie6wzd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2848	2192	c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe	87
PID 2192 wrote to memory of 2848	2192	c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe	87
PID 2192 wrote to memory of 2848	2192	c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe	87

C:\Users\Admin\AppData\Local\Temp\c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe
"C:\Users\Admin\AppData\Local\Temp\c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe /S:"C:\Users\Admin\AppData\Local\Temp\c85a62aeff4db7c8d3f0e2b9df4b9c4cb6d6dc61c43ecb30ad28738b7d7d1268.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GLOBE.ANI

Filesize
6KB

MD5
f3525c9c46c7f01433424e8aa4d0eb7e

SHA1
b0faf41ef1e211e73a3d8bb1f26df609e68e12f9

SHA256
0c713d5db713333de26a82230c9aa4adb28e4451363a8a37cbfcbb4c6aee84b5

SHA512
8df3ff17273fb60e6ce71128eab0cf1fcba69421f3622b443e210d43f6005e5b51523c68e81ac384f8c3202a6d023a592ec51d4238c8c1d0fb371ba335aa4522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IESetup.inf

Filesize
10KB

MD5
59fbef5cdbfcf3f2495f706d49d7b0d3

SHA1
a709f9e17810e5f480f003d03407cfbb31d1aebe

SHA256
51a6b1ba97d1937dffc0025ad4fd15beed7c3939f5278b738e4931116ed89b4b

SHA512
7ebcb61e91bfe441fc1d68a748d7ccd7adf0ce0deb881c278d392589534c4dc7fa4b82b16c49ef57fb662ed02e016f66685e7bd5835f6a437d22e98476f808cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
89KB

MD5
84f97568ea488bdfa0199a14ecd0bc7b

SHA1
6db4d2ffcccdccfd37dd120eeec06e3f7a81f705

SHA256
b3646276b0422103489d72e1696e8a1c03d20127907c54aed619e4f94825d649

SHA512
d996c0a7df303519a23075fa63f7d0c11ac5a255f382fe10eeda67a83d70a950c206ad32ec8a83cd8982ca37b052d98683e7cba532955ab5573aea17d534b4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
186KB

MD5
2716449366116e6cbc1980d629b25174

SHA1
344ae92d114a5c5590e0651292d191f46dffde4a

SHA256
cc52e9ca760c94b7e24e4e401d346154e276c038199e3a75a8852ed5ff479535

SHA512
a15fd1add537ff9f66beb8eeda546565a10955ce59dbd01542c9c86536635d4d2c6cb5278efcf963d9fd30a398b2fe7b252176350c9e8a925096ca3d9b12c30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ie6wzd.exe

Filesize
186KB

MD5
2716449366116e6cbc1980d629b25174

SHA1
344ae92d114a5c5590e0651292d191f46dffde4a

SHA256
cc52e9ca760c94b7e24e4e401d346154e276c038199e3a75a8852ed5ff479535

SHA512
a15fd1add537ff9f66beb8eeda546565a10955ce59dbd01542c9c86536635d4d2c6cb5278efcf963d9fd30a398b2fe7b252176350c9e8a925096ca3d9b12c30f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads