623683db1d6af3e783264c488e66c0536d0253976b255dbe488ffb99fca047e1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226a219536e4ec011d44e74650455e04.exe
Size

344KB
MD5

226a219536e4ec011d44e74650455e04
SHA1

4047a8bfe816fd684b0c5a03e3fe297ea253e592
SHA256

623683db1d6af3e783264c488e66c0536d0253976b255dbe488ffb99fca047e1
SHA512

509a000bfede46b559822613476d24333a99cfd92366cb1ebf0538525f0e6611c77d0bc917fc56962e2faff3fc0ff08897f022f1b4df3ce115dcff7b1bedb658
SSDEEP

6144:gQ0uize3ljwCPbp17u2Bc+zh2EgBu/YF098gWNlPTGQQm6agrd:gwVljnPP7ul+zFI5NtTird

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3288	4.exe
2752	VPort1.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	226a219536e4ec011d44e74650455e04.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\VPort1.1.exe	4.exe
File opened for modification	C:\Windows\SysWOW64\VPort1.1.exe	4.exe
File opened for modification	C:\Windows\SysWOW64\VPort1.1.exe	VPort1.1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 3288	1264	226a219536e4ec011d44e74650455e04.exe	91
PID 1264 wrote to memory of 3288	1264	226a219536e4ec011d44e74650455e04.exe	91
PID 1264 wrote to memory of 3288	1264	226a219536e4ec011d44e74650455e04.exe	91

C:\Users\Admin\AppData\Local\Temp\226a219536e4ec011d44e74650455e04.exe
"C:\Users\Admin\AppData\Local\Temp\226a219536e4ec011d44e74650455e04.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3288

C:\Windows\SysWOW64\VPort1.1.exe
C:\Windows\SysWOW64\VPort1.1.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe

Filesize
178KB

MD5
68a98913b6caf4c662fc84aa1023c524

SHA1
3afa43fd4a03d889e2b4873edd9e8c9a1a53d6d1

SHA256
85ef3534bca5cedb2fbf822ff9e8d02dd9f26cd6508bfbbd12e873075867e7d2

SHA512
1b5460ec4abf2131b2768ba8c8bc3b32858fa53fa5013306cd108526d8d1712052bbcec0a8da2bc15263c362a59c5390965ccf51781d64b8e3c70d12c8a69e19

Download Submit
memory/1264-4-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1264-6-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1264-12-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1264-11-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1264-10-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1264-9-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1264-1-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download
memory/1264-25-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/1264-5-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1264-8-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1264-7-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1264-0-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/1264-3-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1264-2-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1264-26-0x0000000000660000-0x00000000006A3000-memory.dmp

Filesize
268KB

Download
memory/2752-23-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3288-20-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/3288-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads