9007c66480b01bc7facc0b0c16c7946460443d5ec9d69faf31a975ef6be212b6

Analysis

max time kernel
193s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8892b46f2e58ca0ef0789ec0a1ef76.exe
Size

688KB
MD5

0c8892b46f2e58ca0ef0789ec0a1ef76
SHA1

32f4e5c400c29aecd3f8066349a512a6fb6364c7
SHA256

9007c66480b01bc7facc0b0c16c7946460443d5ec9d69faf31a975ef6be212b6
SHA512

b6dfac695fb1eebd4997e0a1320b78ce4d6a017cb22d6b347ea3c407b557a558a5ce961e04beaddb3ff0f4d807482b335ac1f5edfc6e41afe75d8f20fc5bc2e0
SSDEEP

12288:DNUSFUl3DT1KoBfh4boHZXdo3zEYWgF3Z4mxxsDqVTVOCp8:5Lw3Dnf6oHZXe3zEbgQmXLVTzp8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2064	4.exe
4636	svghost.exe
3888	4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0c8892b46f2e58ca0ef0789ec0a1ef76.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svghost.exe	4.exe
File opened for modification	C:\Windows\svghost.exe	4.exe
File created	C:\Windows\uninstal.bat	4.exe
File opened for modification	C:\Windows\svghost.exe	4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	4.exe
Token: SeDebugPrivilege	4636	svghost.exe
Token: SeDebugPrivilege	3888	4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4636	svghost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2064	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	93
PID 4800 wrote to memory of 2064	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	93
PID 4800 wrote to memory of 2064	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	93
PID 2064 wrote to memory of 1444	2064	4.exe	97
PID 2064 wrote to memory of 1444	2064	4.exe	97
PID 2064 wrote to memory of 1444	2064	4.exe	97
PID 4636 wrote to memory of 5008	4636	svghost.exe	96
PID 4636 wrote to memory of 5008	4636	svghost.exe	96
PID 4800 wrote to memory of 3888	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	98
PID 4800 wrote to memory of 3888	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	98
PID 4800 wrote to memory of 3888	4800	0c8892b46f2e58ca0ef0789ec0a1ef76.exe	98

C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe
"C:\Users\Admin\AppData\Local\Temp\0c8892b46f2e58ca0ef0789ec0a1ef76.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:1444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3888

C:\Windows\svghost.exe
C:\Windows\svghost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
785KB

MD5
1318f463852de4d46708222a129992d1

SHA1
56f0a2dd207bb4cb4d17c6fab6634e5b69be4ee1

SHA256
1b93312ca05dd5036147b919acf43868439a6bc350fbd2175299918794a311a7

SHA512
7ecffc405c76dc21a596aabba382a51ebb47145d5ea6740054b6948b1d791cfe2bdac39fe0e8053be25c23d623078c263a85f2d3c71f4a4f49b64f2dd9b65438

Download Submit
C:\Windows\svghost.exe

Filesize
505KB

MD5
24543d0da619cbe45ad09987241969f9

SHA1
03848c27bf473d1632344d9653cd47d308b596b1

SHA256
e198e914acfa53614bfd502923a9a36387050a9089d4e53a686988d1b9fc9e63

SHA512
c3322e1fd0fcd9f117cca23aa794769cbab708ad063da046fbed3c9d1555b8da3d11ebc0ceab42c768176aa87a6f2657288d92aa67227099e92a599a7367a973

Download Submit
C:\Windows\svghost.exe

Filesize
305KB

MD5
520a374453f45b15c3df5beda3fdfe98

SHA1
9fe73c67a2a9d707123e1dea8fd19a6e5e8feee5

SHA256
8e874f94148126981ffd17813cc0d7c3364eeb6f0ad1fc9f4df84e3ba83c65fb

SHA512
5ec8c24898e889a4b971c9b12ca178a65c443439cec5696de407ea98e57aeee90ca347f862b61efcd975c06b405d3860aaae700f0f45a7525ca5fa29cddd468c

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
5edd682a8b1f2bf873300774f954ab03

SHA1
2cca4e743d02dbccf31b784ea26a60c03dcc9637

SHA256
a34c51ec5d2ac66ef75719e7dee61b6e89e74d054712438da2585ec92ce0865a

SHA512
916f0e846a38f63aae996e2a3957fa24fed3bcaa6add68c529e3cc0aa063dca49b98d42c92317bfc2f43d745c492e1e1e6f5db0c986b9682f4b9b0cf0afd7bd2

Download Submit
memory/2064-50-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2064-43-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2064-39-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/3888-57-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3888-59-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4636-56-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4636-51-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4636-47-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4636-61-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/4800-11-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4800-30-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/4800-15-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4800-16-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4800-17-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4800-18-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4800-19-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4800-20-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4800-22-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4800-21-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4800-23-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4800-25-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4800-24-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4800-26-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4800-27-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4800-28-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/4800-29-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4800-14-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/4800-31-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/4800-32-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/4800-35-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/4800-13-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4800-0-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/4800-12-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4800-10-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4800-9-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4800-2-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4800-6-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4800-8-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4800-4-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4800-7-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4800-5-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4800-3-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4800-60-0x0000000001000000-0x0000000001111000-memory.dmp

Filesize
1.1MB

Download
memory/4800-1-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads