9038dd05993b2418c6c722412aaa7baf0394a652e797960dc5f1319d48b3e42a

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23571cb495a12b8e285f47987534b708.exe
Size

47KB
MD5

23571cb495a12b8e285f47987534b708
SHA1

d94b91741bdcadfa4c9aaebcc39b952a49dbe99a
SHA256

9038dd05993b2418c6c722412aaa7baf0394a652e797960dc5f1319d48b3e42a
SHA512

d2947fb40bbd4ef753f1ab951e29cc6babc452fc4a43294d9d2ca11ee3cbf6b3f28321a995ae435a529f1258d198ea49fcb2e72b7078e9337a08cb9d39fcd5e6
SSDEEP

768:svgRbOujaRI6RbO8ZtcH0nJ4FABDEs7s2LUGYNIbbV6GPYQ6ka/ElMvE/dL:h3aps9CJ4CEsS/NMoGf6kLeE5

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xalctgjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\X9Y7il41VT = "C:\\ProgramData\\ncpktcdg\\xalctgjc.exe"	xalctgjc.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	xalctgjc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
540	23571cb495a12b8e285f47987534b708.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 4664	540	23571cb495a12b8e285f47987534b708.exe	104
PID 540 wrote to memory of 4664	540	23571cb495a12b8e285f47987534b708.exe	104
PID 540 wrote to memory of 4664	540	23571cb495a12b8e285f47987534b708.exe	104
PID 540 wrote to memory of 4908	540	23571cb495a12b8e285f47987534b708.exe	103
PID 540 wrote to memory of 4908	540	23571cb495a12b8e285f47987534b708.exe	103
PID 540 wrote to memory of 4908	540	23571cb495a12b8e285f47987534b708.exe	103

C:\Users\Admin\AppData\Local\Temp\23571cb495a12b8e285f47987534b708.exe
"C:\Users\Admin\AppData\Local\Temp\23571cb495a12b8e285f47987534b708.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\cmd.exe
  /c del /f C:\Users\Admin\AppData\Local\Temp\23571C~1.EXE.bak >> NUL
  2⤵
  PID:4908
- C:\ProgramData\ncpktcdg\xalctgjc.exe
  C:\ProgramData\ncpktcdg\xalctgjc.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ncpktcdg\xalctgjc.exe

Filesize
47KB

MD5
23571cb495a12b8e285f47987534b708

SHA1
d94b91741bdcadfa4c9aaebcc39b952a49dbe99a

SHA256
9038dd05993b2418c6c722412aaa7baf0394a652e797960dc5f1319d48b3e42a

SHA512
d2947fb40bbd4ef753f1ab951e29cc6babc452fc4a43294d9d2ca11ee3cbf6b3f28321a995ae435a529f1258d198ea49fcb2e72b7078e9337a08cb9d39fcd5e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads