9aa3cc7e66043f996ffc6d45c025e1d0af1e5e10a157d7bb91283309d43b2c0e

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 20:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

304KB
MD5

44e0181cee22877496bb9dd7de1f9647
SHA1

f7633916f96cb0305259822bf2ebb42cb94eb6b4
SHA256

9aa3cc7e66043f996ffc6d45c025e1d0af1e5e10a157d7bb91283309d43b2c0e
SHA512

a490555f900b1872d4ed1c96f411d31823af6c875226e9e0f310c7e9d4f4a45554b18b1346020bed9686b635eb1b169d6f492602d80b477a41009ef88d08f10a
SSDEEP

6144:beR7eammHp0yN90QEDRk98VPqIy/Odj701JBFYdDu:beRtBiy90U9Iy/O9g2i

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	main.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2792	2256	main.exe	83
PID 2256 wrote to memory of 2792	2256	main.exe	83
PID 2792 wrote to memory of 4556	2792	cmd.exe	85
PID 2792 wrote to memory of 4556	2792	cmd.exe	85
PID 2792 wrote to memory of 4616	2792	cmd.exe	86
PID 2792 wrote to memory of 4616	2792	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "main.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo cmd /c "main.bat" "
    3⤵
    PID:4556
- - C:\Windows\system32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat"
    3⤵
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat

Filesize
1.1MB

MD5
b4aaa78ccbf54fe3b16781dc5c55ac13

SHA1
8bf7e358f953dcecf03871a29ac2b64df0e904de

SHA256
f9bcda503b4c991922f6535a945373a5f9b38be38355694f4f2c18515a9f3d80

SHA512
6dafe9c223437c1eb61db183333c1a2395dc0621328a1083f512c558ace160aec163691411c8b5e004fbaa345dd9933e14fe50f0172ed70514a23e8832ba5905

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads