ef1876bf583f57000a52b2879d1c49902715677331c1cc204c30294feb12e9f0

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe
Size

196KB
MD5

b70aaa5c8c7dd1d5d57649b601127693
SHA1

745598aa07e6c4541747c57ad52e604a9cbbd02d
SHA256

404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae
SHA512

869e9b82b4ae1d72e91acaa36d9c077e604f731370ac8124a8d3c8b8cb9b3bd4041dafedcb2b7f3c86d3e4dbfb5bd1777d69e9de1ba0ce4c8404f9aeaecd9def
SSDEEP

3072:c29+hIl2epp1q5GWp1icKAArDZz4N9GhbkrNEk1wgXDnsZH4lLsEff/J:DwAwp0yN90QEhiwZH4lQEff/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	cmstp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2716	reg.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe
Token: SeRestorePrivilege	2708	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2708	1220	404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe	28
PID 1220 wrote to memory of 2708	1220	404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe	28
PID 1220 wrote to memory of 2708	1220	404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe	28
PID 2708 wrote to memory of 2716	2708	cmstp.exe	29
PID 2708 wrote to memory of 2716	2708	cmstp.exe	29
PID 2708 wrote to memory of 2716	2708	cmstp.exe	29
PID 2708 wrote to memory of 2520	2708	cmstp.exe	31
PID 2708 wrote to memory of 2520	2708	cmstp.exe	31
PID 2708 wrote to memory of 2520	2708	cmstp.exe	31
PID 2520 wrote to memory of 2600	2520	cmd.exe	33
PID 2520 wrote to memory of 2600	2520	cmd.exe	33
PID 2520 wrote to memory of 2600	2520	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe
"C:\Users\Admin\AppData\Local\Temp\404ebe64b33d2f01b100cc10ba84a97ac79107aac5a88948a3820161e11a86ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\cmstp.exe
  cmstp.exe /s /su /ns 90ff0063-d143-484d-a0a6-51a6491b859e.inf
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2716
- - C:\Windows\system32\cmd.exe
    cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\90ff0063-d143-484d-a0a6-51a6491b859e\90ff0063-d143-484d-a0a6-51a6491b859e.cer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\certutil.exe
      certutil -addstore root C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Cm\90ff0063-d143-484d-a0a6-51a6491b859e\90ff0063-d143-484d-a0a6-51a6491b859e.cer
      4⤵
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\90FF00~1.CER

Filesize
947B

MD5
79e4a9840d7d3a96d7c04fe2434c892e

SHA1
a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436

SHA256
4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161

SHA512
53b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\90FF00~1.CMS

Filesize
3KB

MD5
7cd5b9bbe008d81f84f880e8ba71f3bf

SHA1
674c66716a5cbc82da7878749df3934a2f562465

SHA256
f3be58c2d4f47c5aca38b5441b46f91adcb7aca7bc3ed9f78bc7b65c547ec30e

SHA512
6808e55833c871abd71cdca86afd15acd0a77fa61fc16bd9fdbb8ea9f6feffd3010688b08e6ba4d971920febd7a2eabb753538b1c1cd63516cb29d24b2c5b675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\90FF00~1.PBK

Filesize
2KB

MD5
5dc96019532490b4aabccf795f5235eb

SHA1
a135776f4f764fc118e7f15ea1ae27de8bc352bf

SHA256
1a50dd39ac81b518edbd573d2cbe44caa0ab9e1c6e3a34577a9faaa30b3a2c2c

SHA512
01bcd14d9269db4c9a13cad49c4e013c621196cf4ba056e3308b43e2e6a50f12dd9f7d13eea63f47de7cb2a58b62ecd622a53fba8ff94e0b8b54b0ac681f0e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\90ff0063-d143-484d-a0a6-51a6491b859e.cmp

Filesize
155B

MD5
5763171df77c499d4d6bad16f9fdcca1

SHA1
607e6ef33d11bbd99f7a0a9ffe11a77861944711

SHA256
46dad93a142549ffb4674948e90335036e2535da30eb85262bd14e427557c8ea

SHA512
2cc536ec4d69e82cb27bffacadf0c9379aa783a27cea734d4383cb325371c257c74b94364d33f7301293a76bdbf7e0eec769f7472ae6a7dc29df5c32171be89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\90ff0063-d143-484d-a0a6-51a6491b859e.inf

Filesize
11KB

MD5
d62b6c2546efc256ba2ee92720e174eb

SHA1
08193eef8a9269dc0d9a257903d12d43fd829a44

SHA256
808006b3591bbc8094bf00b2c3334578e3b5ae5f915113377f55e20acdf431f1

SHA512
30bd8e360ea38e0618ce0b4ee93c2b1af6678e84f7445d1a207e320034ea2b10a0bceae740e7a9f03e8d78d0d192c5fa8e5b1822debebc594955b68fcd2be5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREB~1.ICO

Filesize
5KB

MD5
f4210677849c93e4550b23c038b251f8

SHA1
eed0197ea0ec7b79d10dfe38699b5dcc57775b7b

SHA256
1ebdce9e839099060b4a68dad683bd77ccb398280ce6ceade6297d50df1001e0

SHA512
7fd327fd662c0aa9431f32f8f15708876b4d0b00dfa2c0f191a88aafc3d725da068752dd8f5705c356f20248c3c3588357c60733a4a9a346ce41710c44193943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREB~2.ICO

Filesize
4KB

MD5
1e633ec56eee97f7cd80316388f0b769

SHA1
25e18aa13520605f17eaf2f9d77acd8ba5408fe2

SHA256
04aab375e08f56cf4be4ca7e148969fa93789886eff1b13ab85f00a76cea238e

SHA512
4c3edbcd34100d3358b924452a9041ed97fe31df65f6f29d350b17664324edac03fef4d24c995bb2b082c63ce21f9e6833c8474e1549dc5c21f911d12925a824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREV~1.BMP

Filesize
135KB

MD5
745a3d9dcb4735518fd16ca5dc00c79f

SHA1
5c9ca1e8f3d81b40a0e6e731171b83f04782e799

SHA256
f738942f441272f364d480d700a2215180f0e9765ac64056991b78f0af35d560

SHA512
603cbc81fea84a0b612f8129575bedec1710dbfad7d8955afcd2720827923ffdec48852449a73a4ad2bb6332a76a559eec897d68a415bb37f5b39b1ee23a5fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmroute.dll

Filesize
44KB

MD5
97a1be58e3c15fc1fa364382611c1e0d

SHA1
196d981be87040921200f59c341095d4fcdaeb58

SHA256
dd457e87e1bda9518e37408fa0f4f578bc83aa557b913f09ae610e22e4b3df35

SHA512
8dde1e91f8c463d214b4d1a7dc3873d5fe540758ee8515894275c98a53960bfac1d98f249941f25b88c0fc321d94c1fffc6563acdef2213bf1f4c8a311ed9d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\routes.txt

Filesize
138B

MD5
3e4cf7d368e21d61dc926e5fa0309115

SHA1
976401ef3d1542b05ae4ebada2c9539d40b729b6

SHA256
f4f284e6407b3a69495c3bc8d6ba14d92804fd9ed9b5e6f7d807eadb530eaa02

SHA512
c1b54353fc7558dc7480aaf6a739ef526ec356ea78478dc3308669ac875c56693cdaa267fbfdd3e7a52ed4f41f8261102da919a094a5293a10021a3c3d6c412a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads