3d6533fc7e36445d6d153810fefcca4edf3cb19f215c587ce5981c2451b17b6b

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0e61d7c0e3623227bc01746a8ef1aa49.exe
Size

1.1MB
MD5

0e61d7c0e3623227bc01746a8ef1aa49
SHA1

3a7f4ade88c90cc6337f4328203bcbf312982d8f
SHA256

3d6533fc7e36445d6d153810fefcca4edf3cb19f215c587ce5981c2451b17b6b
SHA512

41728797dd21387754c133e8b7b92e5be631c2227dd68db895751987e584627d30c786539eb9c813c635e46c916fb9ee7b59c2bdb87d087a2092fdc0abb25a52
SSDEEP

24576:fgTx3/uEeDZcCH4+9a8depEUQpK3uEKjkw3CC6UtpAgzLIuo1h5jK:22EyZcCH9a8wpEJ8aChZiLeVj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2428	CLEANM~1.EXE
1504	CLEANM~1.EXE
2572	autorun.exe

Loads dropped DLL 8 IoCs

pid	Process
3016	0e61d7c0e3623227bc01746a8ef1aa49.exe
3016	0e61d7c0e3623227bc01746a8ef1aa49.exe
2428	CLEANM~1.EXE
2428	CLEANM~1.EXE
3016	0e61d7c0e3623227bc01746a8ef1aa49.exe
3016	0e61d7c0e3623227bc01746a8ef1aa49.exe
1504	CLEANM~1.EXE
2572	autorun.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2572-40-0x0000000000400000-0x00000000006F3000-memory.dmp	upx
behavioral1/files/0x000a00000001342b-38.dat	upx
behavioral1/files/0x000a00000001342b-37.dat	upx
behavioral1/files/0x000a00000001342b-36.dat	upx
behavioral1/memory/3016-35-0x0000000003130000-0x0000000003423000-memory.dmp	upx
behavioral1/files/0x000a00000001342b-31.dat	upx
behavioral1/files/0x000a00000001342b-29.dat	upx
behavioral1/files/0x000a00000001342b-26.dat	upx
behavioral1/memory/2572-58-0x0000000000400000-0x00000000006F3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e61d7c0e3623227bc01746a8ef1aa49.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 1504	2428	CLEANM~1.EXE	21

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	CLEANM~1.EXE
1504	CLEANM~1.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 3016 wrote to memory of 2428	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	17
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 2428 wrote to memory of 1504	2428	CLEANM~1.EXE	21
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 3016 wrote to memory of 2572	3016	0e61d7c0e3623227bc01746a8ef1aa49.exe	20
PID 1504 wrote to memory of 1204	1504	CLEANM~1.EXE	18
PID 1504 wrote to memory of 1204	1504	CLEANM~1.EXE	18
PID 1504 wrote to memory of 1204	1504	CLEANM~1.EXE	18
PID 1504 wrote to memory of 1204	1504	CLEANM~1.EXE	18

C:\Users\Admin\AppData\Local\Temp\0e61d7c0e3623227bc01746a8ef1aa49.exe
"C:\Users\Admin\AppData\Local\Temp\0e61d7c0e3623227bc01746a8ef1aa49.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2572

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
1KB

MD5
a26ea4a41f95d1ec4bcc9a9bec6d62d4

SHA1
8a5a486b61166daafbc5ecab945fa36e7315d545

SHA256
8c94c1d353c8bec4a78ea5110d26c19d5e1b9c50e05c8f24acb09435baad66b3

SHA512
a7c44aa6e2c3380c7b1c0d6ef2da88f1b7906294d34d4a77b5fab00e465f2015aeefa529cab49ee0129834fff7b1db838090411aa13cb0d28fc8eb45ee1ffe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
6KB

MD5
b4eefda37690d6acf9ce1617daf63b3e

SHA1
18a55154960c63ec9647b93557e5e1501e206cec

SHA256
65eaee2691d761443ca2b867a07896aae316935e697e3903baeac7aa4dec6308

SHA512
5986c345b1915aa44da4d504fe89e5ee04c05bb3bf6426b2271eafc17acfff0cb04399e0c3418b9f0e9d83dd48a55a1cb153c4ab879c42711a3392187d72299f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
24KB

MD5
ca521e03573b03f884030b08bf0cf577

SHA1
9b122608d390c2121997b38e23bc6103ec3360cc

SHA256
a14fa688660ee6ba2d892d2feb8da8cc9d91838cb3061d235638556d7ac7f454

SHA512
0ae352d2068fb758f7e560d5cab027bda7c9fd29c8750bf00cafa5660c7f5d1fad3e56afa72dde8992a671e436910506ce837225f9d5c561b3d28ef05801ffe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
19KB

MD5
cf9e4e988992f5f5ff27229efe99b63c

SHA1
f0830392039d740440e1d8348b0f0a747cfd9bba

SHA256
22c53fcfb0bbeb72b5b068fb4f947b9060cecf37a70ee1e49612578c8a3741c0

SHA512
221c5f1df1ccd32d2b75073690a541f02f849b0925601ce1e0b461600de9feb43a634a337c1a53f3d6be115c8b31a3690b1840ad2011d9f45d77d0bc0a1fb3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
27KB

MD5
4e4357add6093c2ced9ebc22a9ab11f5

SHA1
5893c1005613b8089c304d8455380285fea97f64

SHA256
b2f19e3007a7e64f320813f853f11188a998d7d5b6b192924694747930800bd5

SHA512
3f7569e93812a07e58fc8b8b6c3ddb7b62bcd740c6eed620345c0fa44c1e7be60ed055c809626cf4a23841bf072a822df33dca7be9ea04d2578c4ab6655d7ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
15KB

MD5
48631a4aa19e3730b1751727ddc0cb8b

SHA1
20e4ead247b3a94bd88c896bc65fb3f5acdd8869

SHA256
f5a58404c80d1f378de7011038ea455b909289e28fda207651d1c4fea9747bd9

SHA512
4390198b7f919119577796630c2854fb76ecc74efd47b712379144720b17dd5b7e039527d65ea74ffda414777314e5e5eb399f5196733a44c4f24747e08c4a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
32KB

MD5
534d678d646b583f96350a9b831080e5

SHA1
44a37b96475ccf5921ee60fd1bbb4f420eb5a56b

SHA256
81356bff23679a3407f6626bcf5df45cd10b5e8945a1a2cfe6db5d4cb4202d20

SHA512
5d3e84090eb71604d76168eabff0147acb33219d77c40144b685d33140fea3043c8053b20cdac00585442a7a8a9f7e0ddcc03c7ea80ea6acfbab568d118133cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
39KB

MD5
dfbab5e26bc3dc6eba845c7a7c2cc4d7

SHA1
6f7a033b826842e00f17a9b926e88e4e4fb0bc96

SHA256
f0eebd45b50d127d6c6c9ab96477f147394233cd23e16b585bee2a97d4d780a5

SHA512
4a7c465827b6c83d6ad4e4eca08280d0a76ea271b8d62cc57cd3cea8938c2747f68abd8b63a728cac01efa21f1136014689641fa2618d30fe7e5572645f52c39

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
25KB

MD5
26bb2e215b048acc2e732a26a1790854

SHA1
1a04ecbffa69fa71be66038566137d8cc7c6a2bb

SHA256
17dd8f72e6de3c1dc47b2f7e58e73b155e49ccd8b755ab037573bd6b2fdf606e

SHA512
370dd6af262160a99f60436f5c7f011b6807bec0f9c059a4ebe7e175f25d7ed85376174d425f023c3a476ec643880556fe817c4c14dfcd9cfc3ca7aa3f0d2ff1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
20KB

MD5
b75c4b199b444635d8cc0889f582a440

SHA1
0570fe1a3457fb0c93e6921375f4797e4c6d6ed0

SHA256
f5a95d9c6a2fbb9a1f56a8cecd4a841397ecb4c8187f9fea75e6101361257f5d

SHA512
a3cf15e459e5e4db90d0752f9071fa4c3387e054b84260a3b651186f36b7a1e193c8a9e4a3bff9c7380601a0c5ae537c760da70ead22b40c59f873394be8b524

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
23KB

MD5
6571ea3b3706ffe5165e0ad487f34fae

SHA1
3d34e82055d6a1aa0aeb48e70d31748f41e06209

SHA256
45eb9f35f443f53ab8d7e35f3a5d7306020ca6ebfca909cebf38467e7e8711fa

SHA512
4c456ec5571022dda1413f8e2077ec867c0c478ea1cbd854967300a2b18cfcb6cf3c8939391dd410e866ca7e1d31073359dd6bb0c289fb3de43a2f75b30e5506

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CLEANM~1.EXE

Filesize
33KB

MD5
71dc8e36b3c76a6a3ac0a88e8c0f88d6

SHA1
0d3d9b5532004b9afad48174f7cdf7f0657fad8c

SHA256
f1341ba0a78d05bc1348302104b60d76f3765906eb1ef264a8d2ee89fc6725d8

SHA512
668d829980d46abd316ce1105464149ca44adc021ff9083b68bd586572147254bf16e1c177935f28eec98d3a793021a71c9cd3075ba9f19d57460f09b62b15a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
64KB

MD5
75e9dad483c2a5c3efed674bbc6048f0

SHA1
b86d9c5dcc769cbedaf28686a4ff3a27e32085ff

SHA256
aa91856e312085e991bee257506b23a2399959022e3aa33e4a75fed21b91deac

SHA512
eec0c6ddd00fbdb2bcd778b99602ab3d1a3f44f58ddca45f5e0f2258de8bf519214a129bb48de25543e037d9b987b019f977fe91580025519f1d624e7d62478b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\autorun.exe

Filesize
17KB

MD5
9f0173665f1362af544ac90fd79db5ec

SHA1
9173e95263cf657171698d0829dfb9c35e99deee

SHA256
b9898de56728b8fe9fe6671c8f07179c02a723337d9ed5aec07e926ea389e11b

SHA512
500de82784e9a7ae1259edcf8b5495af0cdc9372d9e3339a1c21d3d5d4eb2875160897b6bc41a27931164205db6f456feb081dca4c8685a0e37d4045999e9b1c

Download Submit
memory/1204-47-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1204-43-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1504-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-57-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1504-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-25-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/1504-22-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1504-18-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-28-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1504-46-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2572-40-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/2572-41-0x0000000000E10000-0x0000000001103000-memory.dmp

Filesize
2.9MB

Download
memory/2572-58-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/2572-61-0x0000000000E10000-0x0000000001103000-memory.dmp

Filesize
2.9MB

Download
memory/3016-35-0x0000000003130000-0x0000000003423000-memory.dmp

Filesize
2.9MB

Download
memory/3016-42-0x0000000003130000-0x0000000003423000-memory.dmp

Filesize
2.9MB

Download
memory/3016-59-0x0000000003130000-0x0000000003423000-memory.dmp

Filesize
2.9MB

Download