3bde394377080777cdd16c71be77553e6d6176206e27764946e7e3b044ee3922

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e79b0ab19c7ae247c81442514e97a0f.exe
Size

954KB
MD5

1e79b0ab19c7ae247c81442514e97a0f
SHA1

122d26bfa06a916263cbc977c1ce0f3a976559fa
SHA256

3bde394377080777cdd16c71be77553e6d6176206e27764946e7e3b044ee3922
SHA512

c0d75009d024330618a61cca3df887e5582cb44f97e67ca7f88ebfdd4bcdbf31b34ecc64710ba77977b3b2caa528225c069ae27c49fc9126bdb699eead62c504
SSDEEP

24576:5SUjkO2uc7q3EMVUQAYKIzRKLKt1EwgQmXpiv1D:5nYOUinUQAYTQLia2m5GD

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4872	5.exe
1304	EntMian.exe
2688	5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e79b0ab19c7ae247c81442514e97a0f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	5.exe
File opened for modification	C:\Windows\EntMian.exe	5.exe
File created	C:\Windows\EntMian.exe	5.exe
File opened for modification	C:\Windows\EntMian.exe	5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	5.exe
Token: SeDebugPrivilege	1304	EntMian.exe
Token: SeDebugPrivilege	2688	5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1304	EntMian.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4872	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	88
PID 4592 wrote to memory of 4872	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	88
PID 4592 wrote to memory of 4872	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	88
PID 1304 wrote to memory of 4384	1304	EntMian.exe	93
PID 1304 wrote to memory of 4384	1304	EntMian.exe	93
PID 4872 wrote to memory of 4720	4872	5.exe	95
PID 4872 wrote to memory of 4720	4872	5.exe	95
PID 4872 wrote to memory of 4720	4872	5.exe	95
PID 4592 wrote to memory of 2688	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	97
PID 4592 wrote to memory of 2688	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	97
PID 4592 wrote to memory of 2688	4592	1e79b0ab19c7ae247c81442514e97a0f.exe	97

C:\Users\Admin\AppData\Local\Temp\1e79b0ab19c7ae247c81442514e97a0f.exe
"C:\Users\Admin\AppData\Local\Temp\1e79b0ab19c7ae247c81442514e97a0f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:4720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

C:\Windows\EntMian.exe
C:\Windows\EntMian.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
5KB

MD5
20f2ac192b05c4a71deadbfce4213036

SHA1
b22d11135e1eba140cf2004c0045876dd1dba899

SHA256
f7db4d05f29ffa3106c064d8dc48a1f065a7186b9244e48a0a15f026e77adc58

SHA512
a047d5d011f75b56c750a90a1a282bcbd3abf44361479ae802b8db82bec393b0c3f8fe97fbd5affe0e46a1d17d19fe92133722e1c3798fbb9359b0bf98d57f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
18KB

MD5
fba8952d91aa21a8f539c53a04a0d998

SHA1
739af2e470cf47d9a3184a0c8b040a6be7341cf0

SHA256
1146451fe9a70399f4416debe6e177a9c9749791bfccce28e5ed5b407cb7d55a

SHA512
5aac33d7af6d47d2c88905b6994e8db42fba5583be93ec5ea5e58d8f15ea16edcc43fb10f39f3efed33623390745f4984c58d6e4a42ef13a241485d356bc430d

Download Submit
C:\Windows\EntMian.exe

Filesize
572KB

MD5
337b40e7c99f0fdff04e1a770f270a66

SHA1
dc4b3c50b050cbe04461546c9449a7ac371b7f8b

SHA256
3aa7caa059ed61cfd3faac68f3209c07fc4d6c65fef3f79151dc82d655571c7e

SHA512
750dc6db49b16e35be7a56c8a7aed77a0de7e783f1a3a2462ad75b2a34da9b96dd1799b646fc47c94765cea265ce243c09c369b8a2340095109de875439c766c

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
72f9d376b476a7a6936991161cfeb888

SHA1
ea53941d2d65213eed7aac7f29f897ecdb34344f

SHA256
061cf610c4430e21066e13c91c49e6885cdcb24501095f1f8839e82d3a1d6a02

SHA512
543f9178e376d60544d75981c259bbb4ab603411febb991507c25ddb904bf6e934d05173de5632823d53aaee13ee6f8a623179b26d8a6d134104d47e9dbaeaf5

Download Submit
memory/1304-66-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/1304-67-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/1304-68-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/1304-69-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/1304-70-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/1304-71-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/1304-65-0x0000000000F70000-0x0000000000FBB000-memory.dmp

Filesize
300KB

Download
memory/2688-98-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/4592-11-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4592-7-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4592-100-0x0000000001000000-0x0000000001191000-memory.dmp

Filesize
1.6MB

Download
memory/4592-1-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/4592-2-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/4592-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4592-20-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4592-28-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-36-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-40-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-39-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-38-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-4-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4592-5-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4592-6-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4592-8-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4592-9-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4592-10-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4592-37-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-35-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-34-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-33-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-32-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-31-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-27-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-26-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4592-25-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4592-24-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4592-22-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4592-23-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4592-21-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4592-19-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4592-18-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4592-17-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4592-16-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4592-15-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4592-14-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4592-13-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4592-12-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/4592-0-0x0000000001000000-0x0000000001191000-memory.dmp

Filesize
1.6MB

Download
memory/4872-52-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-44-0x00000000022B0000-0x00000000022FB000-memory.dmp

Filesize
300KB

Download
memory/4872-45-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4872-59-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-48-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4872-49-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4872-50-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-51-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4872-47-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4872-46-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4872-55-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-54-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-56-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-57-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-74-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/4872-75-0x00000000022B0000-0x00000000022FB000-memory.dmp

Filesize
300KB

Download
memory/4872-58-0x0000000002A70000-0x0000000002A8B000-memory.dmp

Filesize
108KB

Download
memory/4872-60-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4872-53-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads