853371e54bfc9a5f2cfc14648ec870d1f80f2a44dd71577f9c6e028ef0143366

Analysis

max time kernel
156s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0eaae7723b74b3fbc213878f5da4b5.exe
Size

463KB
MD5

5e0eaae7723b74b3fbc213878f5da4b5
SHA1

0493a08c2489e2018a592b77a482de7e53f2c6ea
SHA256

853371e54bfc9a5f2cfc14648ec870d1f80f2a44dd71577f9c6e028ef0143366
SHA512

92d73c0cb832615707d75abd89bbc44493eeff74b24830a151c4c6065b34fab8db946676b4006b044fcd0764d65f2d906ea674234eb71d35c6b02fa0d920fc66
SSDEEP

6144:E1GWAE41OQpfx1hhS77EV8mIQxlbIfQ9c8q/NKZ4kJoPo/bSyB:EYSohhS7Y8mZIfQ/ow/bF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1308	a.exe
2448	QQ.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e0eaae7723b74b3fbc213878f5da4b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQ2012 = "C:\\WINDOWS\\QQ.exe"	a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQ = "C:\\WINDOWS\\QQ.exe"	a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\QQ.exe	a.exe
File created	C:\WINDOWS\QQ.exe	a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1308	a.exe
1308	a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1308	2388	5e0eaae7723b74b3fbc213878f5da4b5.exe	91
PID 2388 wrote to memory of 1308	2388	5e0eaae7723b74b3fbc213878f5da4b5.exe	91
PID 2388 wrote to memory of 1308	2388	5e0eaae7723b74b3fbc213878f5da4b5.exe	91
PID 1308 wrote to memory of 2448	1308	a.exe	94
PID 1308 wrote to memory of 2448	1308	a.exe	94
PID 1308 wrote to memory of 2448	1308	a.exe	94
PID 1308 wrote to memory of 3596	1308	a.exe	95
PID 1308 wrote to memory of 3596	1308	a.exe	95
PID 1308 wrote to memory of 3596	1308	a.exe	95

C:\Users\Admin\AppData\Local\Temp\5e0eaae7723b74b3fbc213878f5da4b5.exe
"C:\Users\Admin\AppData\Local\Temp\5e0eaae7723b74b3fbc213878f5da4b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\WINDOWS\QQ.EXE
    C:\WINDOWS\QQ.EXE
    3⤵
    - Executes dropped EXE
    PID:2448
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface ip set address "±¾µØÁ¬½Ó" static
    3⤵
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe

Filesize
860KB

MD5
b94b696860dc9b58050a85ceca77d42e

SHA1
812d1ef4a9910b655d37f6bb094a22585727e500

SHA256
7e91b1cb9b8125e0272b4711436a9270eebf7d562a0691963d8d52942db38e47

SHA512
92f9264d95491b1b493e733159e102197ab857e6090b87f8867c9f26e28106ee4646598f681bd154052fb08f07937711ac0a360afcd1193c471121e8215b895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a.exe

Filesize
985KB

MD5
2bcd11e69b0e8beecc09cf2b526b6306

SHA1
00ada1cf104fc3f641c0f512d5f07411f704cfd2

SHA256
ab9042eea5656a7095afa92e90790b818d3a7d74e4dca92f64f2c741a3a08ae4

SHA512
72e451f97663ea3a596e4797f8d6d89e9f5d5206cc0d03801a8468072962195179086abf285f60ae6bdfe22bea77111a2c62d50ee96145d6425f16482776d045

Download Submit
C:\WINDOWS\QQ.EXE

Filesize
768KB

MD5
cae8c714021d67d6e1c1cdddd788589b

SHA1
2ead82ee609fb92bd4797481a84ab517ee2be514

SHA256
e7a1d885020d7d21cb71f63c0a889e0c76bed8b2a72c90d10ce3538bd1d971f4

SHA512
5ec0614eacc6272de0be50191834607af339d262c95ba3500dcb1d8a5acb76f3c7eb9f62a05927a5a2d8d5d813bed988856f3544075d9220372f5063b239ba0a

Download Submit
C:\Windows\QQ.exe

Filesize
128KB

MD5
62829045300299c3498759e698f57bfc

SHA1
9e98d67bb3db2c143de126b850b6d9004eed227d

SHA256
b1f41b6526a81695367adfe12565643678b3f1f4f4822e09899b3f52d968056e

SHA512
1afbe70357ca853424b069e3b67f4075e146dd43ecf22d70928d013a330030ed389e9d892a4ca04cd44c6e459a0b827b71969c2f06f822ba7c7fc1a177120b3b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads