818e0c6a88022f0eb31f59f5c9ba901d32340f28946ebcfeee90884b48ff6224

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133609987b5845873bd41700cd9f098a.exe
Size

191KB
MD5

133609987b5845873bd41700cd9f098a
SHA1

e90efbec5f8e91b552767075c5b928d413b17417
SHA256

818e0c6a88022f0eb31f59f5c9ba901d32340f28946ebcfeee90884b48ff6224
SHA512

ea7fa6804ed261921ce974ed5f073f2b6b126ed3ab051c0d1069b8a56e43eb499963dbba96009676bf97ea53074cd364d0d90166e6ec55e625711a5f2f3dd5c0
SSDEEP

3072:TEH+GiEs2SMylNOjyFbxJM5QcRGkHRQI+zapw42FjJh6N7iGn/BLpPf1ZLVc/TBs:TsehzRFkMkHaPzasFv6NucTPffklJ2jn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	08.exe

Loads dropped DLL 7 IoCs

pid	Process
1696	133609987b5845873bd41700cd9f098a.exe
1696	133609987b5845873bd41700cd9f098a.exe
2644	08.exe
2644	08.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	133609987b5845873bd41700cd9f098a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.dll	08.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	2644	WerFault.exe	28

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 1696 wrote to memory of 2644	1696	133609987b5845873bd41700cd9f098a.exe	28
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2748	2644	08.exe	29
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2644 wrote to memory of 2704	2644	08.exe	31
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32
PID 2748 wrote to memory of 2668	2748	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\133609987b5845873bd41700cd9f098a.exe
"C:\Users\Admin\AppData\Local\Temp\133609987b5845873bd41700cd9f098a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\08.exe

Filesize
36KB

MD5
03c078a7170ba7cf51eb07771619fe12

SHA1
732d91e5998d0a1c6fd52d17089cb1ab871e4e67

SHA256
914e59cf12869533b27888b75b9b5e5344e2068c15236938fd4fb6c7a4a962b1

SHA512
d1bf4d6de020425b7f4ce2e327efb25cea53360ee52d0319b3f09740fa915a32c4fe530876711b3dc0e34290fffa4935e10e33a88a057f22429e18b6e5a166fe

Download Submit
\Windows\SysWOW64\system.dll

Filesize
15KB

MD5
12a06350969bdc6e81253514e8c2358b

SHA1
2575b9c4e59ec91e050393922720789debf47696

SHA256
5591ba6aee0b8b8e7a1e816197b3f48f995bf365b8da33294efcf5c44cd5add0

SHA512
e09e5f01ef33ac55045b918814a5b3cfcb47a4df358e8e18be25f408ac5cff333015adc1e16e71df1b188666c32fb48bfbf48f8d7b1e8f4e047051b502ac7522

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads