3a8608d16004e8b8b7f90692cc291c3ee0ffd7bee5b2e72ba67c9a5f6cee8d36

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

INTERV~1.exe
Size

393KB
MD5

865bfe30edc6e6802536b5a0954a92e7
SHA1

c302402e8c5a4fd65218884cbd653953a2367d27
SHA256

7f5386e1ae6b9ff3b0557ab4c29231e53839e9be3701a5e803ab666ea3eea46a
SHA512

97ed8970864f3d96ea7e19610c41496e354faaebd4e766f21412baad068cf19f09c9a32b00be51e12ed66b09156df8b173524952fcd5b9c095779dadfd91f490
SSDEEP

6144:njbeiPYYzbsQl4zCO5me1CDSf1yDzaLWEZgwn2y1bbcvS5KMiGc+icm:nuSYYzbsQl4zJr1yDzc/gwN1nc65qc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	file.exe

Loads dropped DLL 6 IoCs

pid	Process
880	INTERV~1.exe
880	INTERV~1.exe
3048	file.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	INTERV~1.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
960	3048	WerFault.exe	28

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 880 wrote to memory of 3048	880	INTERV~1.exe	28
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29
PID 3048 wrote to memory of 960	3048	file.exe	29

C:\Users\Admin\AppData\Local\Temp\INTERV~1.exe
"C:\Users\Admin\AppData\Local\Temp\INTERV~1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 264
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\file.exe

Filesize
91KB

MD5
9ea2d09fa6839e0191a465aea0ecace2

SHA1
91991e5f330f567265448698c3cd3b667fa6e606

SHA256
84930ae7e2164cc9b321ea4fca5a447d6445aa92a7d1db51cc866dfd8024f031

SHA512
05dfbd00bb3b26b526c6870c015edbca79a5c8425bc28344aa5afaedd40921c169c4c1c325e0c82d9e80afe905a36dfeba61b833c44914c69d39e7a9b45171b6

Download Submit
memory/3048-13-0x0000000002270000-0x0000000002347000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads