78637f31886ce0e4d896b6d43dde67b502c2ac3ee9260f5c537ecc8041fc1e64

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 22:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

409f1b3d60c9d46d748a1cd10a323f10.exe
Size

488KB
MD5

409f1b3d60c9d46d748a1cd10a323f10
SHA1

58a35216e4b582689f20fce693214362754650cc
SHA256

78637f31886ce0e4d896b6d43dde67b502c2ac3ee9260f5c537ecc8041fc1e64
SHA512

bee0cac1d26c58d669694db05df0c0591763cbf880175fba678d856f871f685b4e287b968f669ca69df9089ec8de1dc170776f8b4519434a56355337fa9cf84d
SSDEEP

12288:MuWRvWBWp30AtPcjX0jFm5TMHVNALbWD/fF/D:MLZW8EA6oOUmM/Z

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2528	Êý×ÖÇ©~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	409f1b3d60c9d46d748a1cd10a323f10.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2528	4952	409f1b3d60c9d46d748a1cd10a323f10.exe	23
PID 4952 wrote to memory of 2528	4952	409f1b3d60c9d46d748a1cd10a323f10.exe	23
PID 4952 wrote to memory of 2528	4952	409f1b3d60c9d46d748a1cd10a323f10.exe	23

C:\Users\Admin\AppData\Local\Temp\409f1b3d60c9d46d748a1cd10a323f10.exe
"C:\Users\Admin\AppData\Local\Temp\409f1b3d60c9d46d748a1cd10a323f10.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Êý×ÖÇ©~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Êý×ÖÇ©~1.EXE
  2⤵
  - Executes dropped EXE
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Êý×ÖÇ©~1.EXE

Filesize
68KB

MD5
c79d83d268e9faa10c8978edfa68e044

SHA1
e014a2d7e5b35beb51a71b777802a7bdc54fea3c

SHA256
b5fcc44c71913380cdc4930322bb2597752e9821fc78d78f058d66ae8982735a

SHA512
c593da8da12bdf4b55e329f6f2ebad3f3c536c466b04ae86fa6290aacba453d50e425a108f39cd123c87c81d67c004a9ff352a8c4fa429683f199db9449dbeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Êý×ÖÇ©~1.EXE

Filesize
96KB

MD5
ecc28bf7432255e5fbf2edefa6b1fd92

SHA1
de70df261af8ffd1e5b2f65f3b447c6b5f8aa56e

SHA256
cb78dda7547b1a84cb8de2d9bb3169e93ce9a668b66cf2bb2a5ab2c36d8b9f27

SHA512
1ba819205e3438f17395ee119e45fdec82afed074491d22bba8b4299876320dc878ba9e582f2868831af7208bfcf8cf8b2adad88cfe1e83a697f539490cd26c3

Download Submit
memory/2528-7-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-8-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2528-10-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2528-11-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2528-12-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads