97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe
Size

1.2MB
MD5

ea6a3c7fa5fc68f75058b37e115fd7e4
SHA1

57d977cc2857ed6613eeaaf434342bd5ed1c7076
SHA256

97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7
SHA512

7bfc33255dd40fa693a443ca4d87fcd620f32abd48fc718cb68df6eb4e71987ed4dfa3b9e79bc51279f8ec7ed3c5767cb94d46df39f01e847734c11f3d286417
SSDEEP

24576:eyaDqxQSl4d+G/zh2NecUqRGkDVwTV10ufI06kPZeeZmL3i5no:taDqxQUG7jYDGB1bDhw3i

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2240	Rt2oi31.exe
1844	11uS8146.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rt2oi31.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 2240	3084	97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe	84
PID 3084 wrote to memory of 2240	3084	97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe	84
PID 3084 wrote to memory of 2240	3084	97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe	84
PID 2240 wrote to memory of 1844	2240	Rt2oi31.exe	86
PID 2240 wrote to memory of 1844	2240	Rt2oi31.exe	86
PID 2240 wrote to memory of 1844	2240	Rt2oi31.exe	86

C:\Users\Admin\AppData\Local\Temp\97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe
"C:\Users\Admin\AppData\Local\Temp\97e94197a2f16242cacf7672b13a9dd214bc201ffe0eb948e415672e52e09be7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt2oi31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt2oi31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11uS8146.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11uS8146.exe
    3⤵
    - Executes dropped EXE
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt2oi31.exe

Filesize
803KB

MD5
cb314231a6f8291632c994da579d54e6

SHA1
065efe7e3c3205c3e500518b415a6edb848f78d4

SHA256
b8b019c4560d8e6a701b585fd597a70edafa6d86ff6c0491f67be8d7f86a44ca

SHA512
97b2c21c3cbb7545ee97504ccc6af4fea47936a91b909f8ff9a4d2f49088bfeca9ff229ebe87d213eb6239d16eea9fb2af0f3cfc0672cfd4fe86a07f39ddc1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt2oi31.exe

Filesize
803KB

MD5
cb314231a6f8291632c994da579d54e6

SHA1
065efe7e3c3205c3e500518b415a6edb848f78d4

SHA256
b8b019c4560d8e6a701b585fd597a70edafa6d86ff6c0491f67be8d7f86a44ca

SHA512
97b2c21c3cbb7545ee97504ccc6af4fea47936a91b909f8ff9a4d2f49088bfeca9ff229ebe87d213eb6239d16eea9fb2af0f3cfc0672cfd4fe86a07f39ddc1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11uS8146.exe

Filesize
414KB

MD5
f6587dd2891febb900f604f73ba27371

SHA1
2c87a6422c05103749be31a23ed1383bef152203

SHA256
e411777d6ba76c44fe55cbbbac7ab005502f3d920833a69cf6c05290c2f762e9

SHA512
5df3d258e40da2d7a3799e529d667e5a6d9fc698b70c5dc0c35fc563d33e6fe4f7ce79357d45470288372dfd880e537c87c272c5a22d42d89dd04de521c0855a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11uS8146.exe

Filesize
414KB

MD5
f6587dd2891febb900f604f73ba27371

SHA1
2c87a6422c05103749be31a23ed1383bef152203

SHA256
e411777d6ba76c44fe55cbbbac7ab005502f3d920833a69cf6c05290c2f762e9

SHA512
5df3d258e40da2d7a3799e529d667e5a6d9fc698b70c5dc0c35fc563d33e6fe4f7ce79357d45470288372dfd880e537c87c272c5a22d42d89dd04de521c0855a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads