72150744ee85074592c99946fd4577baee1795e74f5e1cc4afd03d9a9dd50ad8

Analysis

max time kernel
195s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05a132213c55150bd7eb19b12a9ec615.exe
Size

1.0MB
MD5

05a132213c55150bd7eb19b12a9ec615
SHA1

77afc013c1d70ab190cb82bf473e00f9e6ea3bbe
SHA256

72150744ee85074592c99946fd4577baee1795e74f5e1cc4afd03d9a9dd50ad8
SHA512

b36a7833a0124df7b1601c834247a2a94e8f91916b4a452f3c67e07431d08b4b9398a7cce6dd96908dd707c0c29df5211b5b3391b1da60e1a14cb500a209c162
SSDEEP

24576:j41+PU/2ueS8I+IGGyrOjPzLZ+9O1kWQmXKVTzLH:k+PU/2uNn+IGVcHRavmaVH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
564	1.exe
2624	temp.exe

Loads dropped DLL 7 IoCs

pid	Process
2848	05a132213c55150bd7eb19b12a9ec615.exe
2848	05a132213c55150bd7eb19b12a9ec615.exe
564	1.exe
564	1.exe
2880	WerFault.exe
2880	WerFault.exe
2880	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05a132213c55150bd7eb19b12a9ec615.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	2624	WerFault.exe	30

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 564	2848	05a132213c55150bd7eb19b12a9ec615.exe	29
PID 2848 wrote to memory of 564	2848	05a132213c55150bd7eb19b12a9ec615.exe	29
PID 2848 wrote to memory of 564	2848	05a132213c55150bd7eb19b12a9ec615.exe	29
PID 2848 wrote to memory of 564	2848	05a132213c55150bd7eb19b12a9ec615.exe	29
PID 564 wrote to memory of 2624	564	1.exe	30
PID 564 wrote to memory of 2624	564	1.exe	30
PID 564 wrote to memory of 2624	564	1.exe	30
PID 564 wrote to memory of 2624	564	1.exe	30
PID 2624 wrote to memory of 2880	2624	temp.exe	31
PID 2624 wrote to memory of 2880	2624	temp.exe	31
PID 2624 wrote to memory of 2880	2624	temp.exe	31
PID 2624 wrote to memory of 2880	2624	temp.exe	31

C:\Users\Admin\AppData\Local\Temp\05a132213c55150bd7eb19b12a9ec615.exe
"C:\Users\Admin\AppData\Local\Temp\05a132213c55150bd7eb19b12a9ec615.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Users\Admin\AppData\Local\Temp\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\temp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 88
      4⤵
      Loads dropped DLL
      Program crash
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
852KB

MD5
1b97159551ad8e0795b6eae7301f8733

SHA1
2fc548d649d5bc714fa28c2752953a67ecfc6ae8

SHA256
eb07a17457e6f84510d9b14dc52d618c9c182c948605b9fdb5a0012959964ab9

SHA512
9a80ed86fea0a0894ea833c3aaa4d3fff39fd8ca08c2df50d6545a14606214914faf276692967b346aad5fca2d3cdffd9752bc98a5f3a687bc7a77d80f2ce8f8

Download Submit
\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
472KB

MD5
ee751647963195330d7216a3be8d7854

SHA1
32b456d92393db4d095ff7d6ec063bb4d93dbf08

SHA256
d7899b0ef7cff691ec9f14adddab808ad6f52fbbd9548656abf7f6d38bbc9c6a

SHA512
0bac2e3c7e157a4ce03bb147273654819c669e8c17648285237ee8ee4a24a0393c999a2c035bfd3189850ec05022867e9fbbd0c7dcba19bf670f8eb274a43838

Download Submit
memory/564-55-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/564-44-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2624-61-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2848-20-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2848-24-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2848-7-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2848-19-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2848-18-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2848-17-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2848-16-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2848-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2848-14-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2848-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2848-12-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2848-11-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/2848-10-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2848-9-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2848-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2848-0-0x0000000001000000-0x0000000001113000-memory.dmp

Filesize
1.1MB

Download
memory/2848-21-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2848-22-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2848-23-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2848-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2848-25-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2848-26-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2848-27-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2848-30-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/2848-31-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2848-33-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2848-32-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2848-34-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2848-35-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2848-36-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2848-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2848-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2848-3-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2848-57-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download
memory/2848-56-0x0000000001000000-0x0000000001113000-memory.dmp

Filesize
1.1MB

Download
memory/2848-1-0x00000000001C0000-0x0000000000214000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads