e9f9fef509c07f123eb594c540e35a70d07eb9777566a2f6f24e6642974adb19

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
Size

5.8MB
MD5

db137f939459ee378572623942debafa
SHA1

7703e6e0f1df016b954dca503573a22a4c1766d9
SHA256

3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0
SHA512

e9503c2986e2785e4281c9418bf178512d3ff6b875a7d5d07047e806856b3dd51254fc920fdb9fefcf03633dd2ca5168867140be1a8fc9d0676b300a2e3bde96
SSDEEP

98304:13+KGn20wQh/pCZb/ijmG/Owk2X1w/T6FpgvztWuxC4ghVI11BTLnmzE2TwWbCpK:1AJhwZLiowDX1w/Oim4zpjmzE2TwWbCn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3016	install.exe
1256	Process not Found

Loads dropped DLL 4 IoCs

pid	Process
2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
3016	install.exe
3016	install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3016	2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2088 wrote to memory of 3016	2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2088 wrote to memory of 3016	2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28
PID 2088 wrote to memory of 3016	2088	3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe	28

C:\Users\Admin\AppData\Local\Temp\3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe
"C:\Users\Admin\AppData\Local\Temp\3a7a6ff79eeb5d51f8bf4cab188f74de0a220722e3d9d97858092ea3ef41b2b0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eula.1033.txt

Filesize
15KB

MD5
e40610019032bc9ee795956bed63c9c0

SHA1
d18df45d83864ed2e5a7023512711f3df4481945

SHA256
c88310fb8c4e9a645ecc0d00b72a96a1dba7baf2294b60b37589b8dd17dbeff5

SHA512
f89fb361b050e6efb913311c63552931f2066603bb5de30ee96732a6eabda608443a56f39255438b22d7d08fbd8f859b50f9ccad66e1bee195ef88e2a44be245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\globdata.ini

Filesize
1KB

MD5
475349ae604e7888fda95cd0ea51709c

SHA1
1f1f7d53d4e24c93ad90f3514f2c984117ff48d8

SHA256
0c66607b073c8da4654fd1849799c6ac7a85a5c5d76c797bf3264bb3cae1d9ab

SHA512
cb13052ee305fa2b240806885ee32a428325c4987d69af97ff2e7907636b825fe7bfbec05ee7bc441bf6e92e18e09525c75836c25a592795da0bb73920e707ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
27KB

MD5
e93710746e19c00aac55cf44eb7784d5

SHA1
b04d196b156593afbc5d97fe5bf717256acf3cdb

SHA256
b08909cfdc717652611b2936c932e38a51d664a5c1070c731a6992444d8a5323

SHA512
356ce548c29e35915d49a78a070ecfe35c6d3dce4494c8c528512317049aa922d80021b8c8f67720b64cff35a5f743c6bb329151f36eeaf81e5fd3147a518f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
39KB

MD5
04cfa7d94bd67b36193a0b37bf807652

SHA1
2b7714457da8715eb73752a668901a932b21c2b2

SHA256
b8467ed825d080d8f340ea6430cc1980866e7e6ff8b56e5c0e3cb201d5011e5b

SHA512
ffcbcfba0f010599c1a87538758f9cf7a694a22ec3c5cea1d0fa4cddf1bb1baebf1686e95fd9cbcd2a06ffd49089809e0b1ded4f73696e5cfc15a0dbd365239a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.ini

Filesize
4KB

MD5
4598a5fefcd1b97c94e68be5b2b6251c

SHA1
67a329b341a601a0ae22484fbdfd799ceeac1406

SHA256
9ea95fff47608b0bfc2382fd0e42e2afc70c2c578adb7bb5eb3386d212cfe656

SHA512
e287e696a28fdc33ea8ef97892910429954a091ecb515d8c39260df6506322e83441ce3cc1d4d6af2e8721b8ba95ec09dcd4893ff78e8fc0e5dc2acc4d1581f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
13KB

MD5
1976a7c7b265d863fff9fbafeffc3c22

SHA1
a20b0e697423366b5e4eee5fdf555948fa462a86

SHA256
b8268f7e7181c760cc03e7f06204416fc43003d4343a308cd3a1cc71e94053cd

SHA512
466a57bf8b63cf4bde38c803b28ff0c76bf025c275ada65e23705900f66f751ae9dcc27057c1db9233ce59d17501e8a4dba5f9c98528c6fe021eed8641ad23a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jsredist.msi

Filesize
5KB

MD5
197b8b565393195bf7757e20f3355c70

SHA1
19721ee9cd433a7b84fffc7774b7472d6563cfd0

SHA256
ab74ab6369160af5b349dc72507e7ca7541ebcdd55157035549d057fc9dc1d50

SHA512
ad2c0101b0940977840057b492b96dcee52091a81756064cc4400aa2540bba205b85f2ff0f06e2a6e0fd89e380a0bba1918ba8186d53f32e3b789bbcab7ac9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjscustom.1033.dll

Filesize
9KB

MD5
c84db233fe557d7089fcfcfd948e9f9a

SHA1
f1ae7a34458ef00a48e25a942e073128c8e972da

SHA256
ba66b35dfa12d9ecdc0bb3a2e997399f20ad3bd6e87a351c3241f9ca6594fa12

SHA512
a69880310ad357ae0f66febc872f942aea48d0846666432e966ed529c4a7d7be4c13655e3e079330520092763b8d42cef031e94786a10d78984fc85fd37e9842

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
39KB

MD5
e4ad89dcb9f89c39f7b8d1c509449865

SHA1
40a4fdd2d5ab80f87715d1dc151c1f727dc7df71

SHA256
a19beaa01de77a6c9ffe5e7bd7923ebfd6a5050690908d084955ad4e566c862d

SHA512
38b34ac38ba0929bcf50a33e6e649b225834bedcc5b5bd8ff79144a44778ae5e2ac37bb1953844a7cb3dae3bc115ea5ed45c1f3b6077cc7c2a1c41c554f5f653

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
21KB

MD5
45fd1238e854e608d9efd31b176f1ed9

SHA1
af7e0024ef88f72e8f90b1f8424e40a9c4b3c79d

SHA256
db03dd75e0dd163c7004a2ff358b7af1b5d426bb4624c9edbaf1b5d5849c6d60

SHA512
6297df2eff75bd4adf55661af86e106b4611a87108082f5955e8750f77c433b98c9b05fb5dc768732124a0c8bd207943185cd33ee92764a273664a8bf5b5eb09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
27KB

MD5
b6b122aa4435ee0b13b04afe2d198544

SHA1
0c2aa84f4dfcb332cf944493e9f0dd2aab18ecb5

SHA256
8d2a2598b5ae89569556a0df7c2c12d57c609dda58b79172de7495eeecd55936

SHA512
dace56b5a1455574fa3f1f7ba6eb8a4c2ecdb5348d8b6ab575e90079221aead2eba87f84dd8e8a0b206e4dd673af15338ab2b71052f4e4f15862fbdfc8da87f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.res.1033.dll

Filesize
73KB

MD5
e37eb50458c388f45c9f10568b2bac28

SHA1
89ca2089b8f86c4d3dd1162f2c6ea51f44c1d21d

SHA256
915e0ec1e8542c5bd1f440b645279a79d7c2748f10fcb97e68e2595e314f6632

SHA512
dda34f4eab1e56be748c179b42183cbd60789674f881f3c03de59ed4ec6d33f13f9b2088239a266de3d6a83c3fd0ade6e8b2bf9fea3df4bb5c4ca3b238c60f98

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\vjscustom.1033.dll

Filesize
31KB

MD5
33cc2ddb7a34f9fd7774396a814ee9f8

SHA1
a066c91bc449896cf923b7b73658c5ee1c31eae9

SHA256
a26c9e381df7ba6d740bc3ca3632efcc1f2e195870959693c5bd34d35f17bcd2

SHA512
47188c89e68b2e6979afba8f940f5672785e82f585d6ef651c1d11b26ae92b81ca7ac2c228c64c170bfd3627d13cbcbc18f6b3e1382e5a2e3f8c13864d3aa712

Download Submit
memory/3016-89-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/3016-96-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads