3bde394377080777cdd16c71be77553e6d6176206e27764946e7e3b044ee3922

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e79b0ab19c7ae247c81442514e97a0f.exe
Size

954KB
MD5

1e79b0ab19c7ae247c81442514e97a0f
SHA1

122d26bfa06a916263cbc977c1ce0f3a976559fa
SHA256

3bde394377080777cdd16c71be77553e6d6176206e27764946e7e3b044ee3922
SHA512

c0d75009d024330618a61cca3df887e5582cb44f97e67ca7f88ebfdd4bcdbf31b34ecc64710ba77977b3b2caa528225c069ae27c49fc9126bdb699eead62c504
SSDEEP

24576:5SUjkO2uc7q3EMVUQAYKIzRKLKt1EwgQmXpiv1D:5nYOUinUQAYTQLia2m5GD

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2708	5.exe
2284	EntMian.exe
1264	5.exe

Loads dropped DLL 4 IoCs

pid	Process
1212	1e79b0ab19c7ae247c81442514e97a0f.exe
1212	1e79b0ab19c7ae247c81442514e97a0f.exe
1212	1e79b0ab19c7ae247c81442514e97a0f.exe
1212	1e79b0ab19c7ae247c81442514e97a0f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e79b0ab19c7ae247c81442514e97a0f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\EntMian.exe	5.exe
File opened for modification	C:\Windows\EntMian.exe	5.exe
File created	C:\Windows\uninstal.bat	5.exe
File opened for modification	C:\Windows\EntMian.exe	5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	5.exe
Token: SeDebugPrivilege	2284	EntMian.exe
Token: SeDebugPrivilege	1264	5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2284	EntMian.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2708	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	28
PID 1212 wrote to memory of 2708	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	28
PID 1212 wrote to memory of 2708	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	28
PID 1212 wrote to memory of 2708	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	28
PID 2284 wrote to memory of 2920	2284	EntMian.exe	30
PID 2284 wrote to memory of 2920	2284	EntMian.exe	30
PID 2284 wrote to memory of 2920	2284	EntMian.exe	30
PID 2284 wrote to memory of 2920	2284	EntMian.exe	30
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 2708 wrote to memory of 2964	2708	5.exe	32
PID 1212 wrote to memory of 1264	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	34
PID 1212 wrote to memory of 1264	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	34
PID 1212 wrote to memory of 1264	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	34
PID 1212 wrote to memory of 1264	1212	1e79b0ab19c7ae247c81442514e97a0f.exe	34

C:\Users\Admin\AppData\Local\Temp\1e79b0ab19c7ae247c81442514e97a0f.exe
"C:\Users\Admin\AppData\Local\Temp\1e79b0ab19c7ae247c81442514e97a0f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\uninstal.bat
    3⤵
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1264

C:\Windows\EntMian.exe
C:\Windows\EntMian.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\uninstal.bat

Filesize
150B

MD5
72f9d376b476a7a6936991161cfeb888

SHA1
ea53941d2d65213eed7aac7f29f897ecdb34344f

SHA256
061cf610c4430e21066e13c91c49e6885cdcb24501095f1f8839e82d3a1d6a02

SHA512
543f9178e376d60544d75981c259bbb4ab603411febb991507c25ddb904bf6e934d05173de5632823d53aaee13ee6f8a623179b26d8a6d134104d47e9dbaeaf5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
572KB

MD5
337b40e7c99f0fdff04e1a770f270a66

SHA1
dc4b3c50b050cbe04461546c9449a7ac371b7f8b

SHA256
3aa7caa059ed61cfd3faac68f3209c07fc4d6c65fef3f79151dc82d655571c7e

SHA512
750dc6db49b16e35be7a56c8a7aed77a0de7e783f1a3a2462ad75b2a34da9b96dd1799b646fc47c94765cea265ce243c09c369b8a2340095109de875439c766c

Download Submit
memory/1212-59-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-1-0x0000000000380000-0x00000000003D4000-memory.dmp

Filesize
336KB

Download
memory/1212-11-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1212-25-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-30-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1212-40-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-41-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-32-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-90-0x0000000001000000-0x0000000001191000-memory.dmp

Filesize
1.6MB

Download
memory/1212-0-0x0000000001000000-0x0000000001191000-memory.dmp

Filesize
1.6MB

Download
memory/1212-62-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-61-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-60-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-16-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1212-58-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-57-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-56-0x0000000000380000-0x00000000003D4000-memory.dmp

Filesize
336KB

Download
memory/1212-31-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-29-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-28-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/1212-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1212-23-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1212-22-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1212-21-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1212-20-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1212-19-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1212-18-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1212-17-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1212-15-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1212-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1212-12-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1212-4-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1212-14-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1212-9-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1212-8-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1212-6-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1212-5-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1212-13-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1212-54-0x0000000001000000-0x0000000001191000-memory.dmp

Filesize
1.6MB

Download
memory/1264-83-0x0000000000560000-0x00000000005AB000-memory.dmp

Filesize
300KB

Download
memory/1264-89-0x0000000000560000-0x00000000005AB000-memory.dmp

Filesize
300KB

Download
memory/1264-88-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/1264-84-0x0000000002910000-0x00000000029B2000-memory.dmp

Filesize
648KB

Download
memory/1264-85-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2284-93-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2284-92-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2284-91-0x0000000001DB0000-0x0000000001DFB000-memory.dmp

Filesize
300KB

Download
memory/2284-70-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2284-69-0x0000000001DB0000-0x0000000001DFB000-memory.dmp

Filesize
300KB

Download
memory/2708-45-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2708-46-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2708-48-0x0000000000560000-0x00000000005AB000-memory.dmp

Filesize
300KB

Download
memory/2708-47-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2708-55-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2708-65-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2708-67-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2708-49-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/2708-44-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2708-43-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2708-42-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2708-50-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads