3fd39c5f8b99577694caba921ae417c76df96a89cb5185fa1ef0e68e1d838fca

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02bb0dba66cb1b35f20a101b88494b50.exe
Size

939KB
MD5

02bb0dba66cb1b35f20a101b88494b50
SHA1

c7c33ab47028787d588e28baaa33d9ffe36be4b2
SHA256

3fd39c5f8b99577694caba921ae417c76df96a89cb5185fa1ef0e68e1d838fca
SHA512

12cda96b8f2a21d0285d895c93b3147f16fb70badf8bdde66f160c92e8821a45d5060ce010dce4e59dffdec410080cd2502c2308612df9bb0b443c288f249b09
SSDEEP

12288:TLoBw+bbjB1D6U+s802ziOQK/d+QXkkza6GOL9BkxcQiOOQu7aEcCLwQ+a62E33:UvD5+GE/kscc3ku1hQuECQ2E

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	Stub.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02bb0dba66cb1b35f20a101b88494b50.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2036	2672	02bb0dba66cb1b35f20a101b88494b50.exe	19
PID 2672 wrote to memory of 2036	2672	02bb0dba66cb1b35f20a101b88494b50.exe	19
PID 2672 wrote to memory of 2036	2672	02bb0dba66cb1b35f20a101b88494b50.exe	19

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Temp\02bb0dba66cb1b35f20a101b88494b50.exe
"C:\Users\Admin\AppData\Local\Temp\02bb0dba66cb1b35f20a101b88494b50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
96KB

MD5
40dedf759599c803b1499cf218482dd7

SHA1
617642f846a2020776e1b936b55a8cf86df41c30

SHA256
067c67842c718c7b2f647a7bbd43296fd2f9745ce7df2f1e8c9a012d66c74628

SHA512
a1d461032b81cd9e92ece9ed9be25444dd25b694bdb537c14c0dbd60bbabe534f5dabb836653406a7f8fae1c85321bf81650c69b08edaf52eb197d05c9d62b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Stub.exe

Filesize
93KB

MD5
e6a70c437bc2e596110eff8039b5b774

SHA1
6a4e454b3e26f8e1cd04a68e3cd16d64e665b28b

SHA256
2c306a97a6756d25e19ad6ba59c7f38307719fc8bedfaf2b7f6d59d8349cae69

SHA512
5ae2205edd0e8d92963d814740c72b148d43b5e2dace4bf2ee2061e2c4d2c2308b326cbdc686f1ab74c3667ec7c45ef285c646545f8eed68312fa817287ff84c

Download Submit
memory/2036-7-0x0000000073E00000-0x00000000743B1000-memory.dmp

Filesize
5.7MB

Download
memory/2036-9-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/2036-8-0x0000000073E00000-0x00000000743B1000-memory.dmp

Filesize
5.7MB

Download
memory/2036-10-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/2036-11-0x0000000073E00000-0x00000000743B1000-memory.dmp

Filesize
5.7MB

Download
memory/2036-12-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads