e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d

Resubmissions

05-05-2024 00:32

240505-avs8wsbg94 7

12-11-2023 19:17

231112-xzp4csah4x 10

12-11-2023 19:05

231112-xrjavaag9t 10

Analysis

max time kernel
58s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe
Size

1.4MB
MD5

409a6f8b516eeefb33316a9057898eb7
SHA1

d79fe80acc4ce397bef1afce0b90b8ae04c648e0
SHA256

e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d
SHA512

2f11c73f28161d48269215da555e79c9dbda6beff67c5a5721e1187c509ab9d3024de6ef0a7034dd35ee68866c10e3f1319a64166414fa739a6c75eca4511fca
SSDEEP

24576:PyprHugHcb699nS3MelIsL9vGuxwDPlCDj7D9lYCmnZLQ352uf/XvYd:apDuYY69YcemUpG7RCrDXYCmnZu2ivv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
736	yz0fm44.exe
2428	jx3YX23.exe
768	fO0ME68.exe
2640	1fA48sP5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jx3YX23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fO0ME68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yz0fm44.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000022cea-26.dat	autoit_exe
behavioral2/files/0x0007000000022cea-27.dat	autoit_exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 736	3588	e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe	92
PID 3588 wrote to memory of 736	3588	e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe	92
PID 3588 wrote to memory of 736	3588	e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe	92
PID 736 wrote to memory of 2428	736	yz0fm44.exe	93
PID 736 wrote to memory of 2428	736	yz0fm44.exe	93
PID 736 wrote to memory of 2428	736	yz0fm44.exe	93
PID 2428 wrote to memory of 768	2428	jx3YX23.exe	94
PID 2428 wrote to memory of 768	2428	jx3YX23.exe	94
PID 2428 wrote to memory of 768	2428	jx3YX23.exe	94
PID 768 wrote to memory of 2640	768	fO0ME68.exe	95
PID 768 wrote to memory of 2640	768	fO0ME68.exe	95
PID 768 wrote to memory of 2640	768	fO0ME68.exe	95

C:\Users\Admin\AppData\Local\Temp\e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe
"C:\Users\Admin\AppData\Local\Temp\e1e81d5f4eb8e3a4784d17d12970f212d3bafa2584c69bd81821ba30076cd96d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yz0fm44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yz0fm44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jx3YX23.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jx3YX23.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO0ME68.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO0ME68.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fA48sP5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fA48sP5.exe
        5⤵
        Executes dropped EXE
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yz0fm44.exe

Filesize
1006KB

MD5
8a41b16f8aab61953e35ae855124b018

SHA1
144c07040935ee9752b17c4221776de88d97baf9

SHA256
a7b5d911be93e7e8e748c13ca08f50dd9130138e92906cdfb9da8ef1de8b9db7

SHA512
3f57d9d57a1564c19440c10dc8c1a17865891d76d51562244dc973529bf333be9bd6406767a42463c7088f91e0acc4a4fc04cb29146a6a8e95f07668615abb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yz0fm44.exe

Filesize
1006KB

MD5
8a41b16f8aab61953e35ae855124b018

SHA1
144c07040935ee9752b17c4221776de88d97baf9

SHA256
a7b5d911be93e7e8e748c13ca08f50dd9130138e92906cdfb9da8ef1de8b9db7

SHA512
3f57d9d57a1564c19440c10dc8c1a17865891d76d51562244dc973529bf333be9bd6406767a42463c7088f91e0acc4a4fc04cb29146a6a8e95f07668615abb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jx3YX23.exe

Filesize
783KB

MD5
5779b1aec1c0e9360e38cabcbcf2eae6

SHA1
370eb8d2a2226f5db17780d6c03f8b6c407ba62a

SHA256
24a580b7f8c6f3e86ad9d40dd4054204255f5eb3ce03cab0bd04e94b3483e1d0

SHA512
f20026dc9ef8376aadd780bbd91472a4e1eb79d2e62ddbc4102786eef9276e9b9f3b8b1f9f73ba1c284ed4028432470225b109c0009794f4d1f3ff5d7289ee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jx3YX23.exe

Filesize
783KB

MD5
5779b1aec1c0e9360e38cabcbcf2eae6

SHA1
370eb8d2a2226f5db17780d6c03f8b6c407ba62a

SHA256
24a580b7f8c6f3e86ad9d40dd4054204255f5eb3ce03cab0bd04e94b3483e1d0

SHA512
f20026dc9ef8376aadd780bbd91472a4e1eb79d2e62ddbc4102786eef9276e9b9f3b8b1f9f73ba1c284ed4028432470225b109c0009794f4d1f3ff5d7289ee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO0ME68.exe

Filesize
658KB

MD5
380bc597cad1a6e811fa7b27457fc99e

SHA1
5f5652b8a8ec2d1e2b1a6904157b1de6b9460442

SHA256
3d2fb83d6c1c370814cb51733cdfc3be2fb63c86b2b14ab49da1af6199e9e755

SHA512
e8a7b1d5cc9e8356032ed70f9ceb01d8278c389dc7648f822e24f38db523bfcfe264e10b00b01d98cbcbdb3c192ec2b141082bd1baeb43f1a1fe20030789898e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fO0ME68.exe

Filesize
658KB

MD5
380bc597cad1a6e811fa7b27457fc99e

SHA1
5f5652b8a8ec2d1e2b1a6904157b1de6b9460442

SHA256
3d2fb83d6c1c370814cb51733cdfc3be2fb63c86b2b14ab49da1af6199e9e755

SHA512
e8a7b1d5cc9e8356032ed70f9ceb01d8278c389dc7648f822e24f38db523bfcfe264e10b00b01d98cbcbdb3c192ec2b141082bd1baeb43f1a1fe20030789898e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fA48sP5.exe

Filesize
895KB

MD5
e248c54d4acc2b18bb6bab393281d7e7

SHA1
76e55393c82952d784fa1d02c2ac4d7faf23c171

SHA256
fd5baef2b600f3d8dc17ec01488a1dc7df08f342ddb3aac28d286ca171f81370

SHA512
d7656efa167f6e02b55b9e297d80aff3f5b6c39d6e1ab8c341f90363a119997d54c1ada9fc250481c98356560e8e743d2cd7b4f9642408accef86981f9cb1833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1fA48sP5.exe

Filesize
895KB

MD5
e248c54d4acc2b18bb6bab393281d7e7

SHA1
76e55393c82952d784fa1d02c2ac4d7faf23c171

SHA256
fd5baef2b600f3d8dc17ec01488a1dc7df08f342ddb3aac28d286ca171f81370

SHA512
d7656efa167f6e02b55b9e297d80aff3f5b6c39d6e1ab8c341f90363a119997d54c1ada9fc250481c98356560e8e743d2cd7b4f9642408accef86981f9cb1833

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads