dd5d9459b603865371c244c708f432325ef8b7990bf39640aada64ccfee13a41

Analysis

max time kernel
142s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ce27d4fcfdb5e4130f76efed3f2ed4.exe
Size

718KB
MD5

38ce27d4fcfdb5e4130f76efed3f2ed4
SHA1

b783552d2078cfc81ca161aff6928c97dd482742
SHA256

dd5d9459b603865371c244c708f432325ef8b7990bf39640aada64ccfee13a41
SHA512

47a4d287d2ce3ec61c87cf87ab47fe105556871b3dab60f76127f4740e861e829ddc76487104df9237341db39a7ee113b05267ac6043f89dfc7eae5d454283c2
SSDEEP

12288:ycDE925qznLBUy/1cTQIoVL1hXibkf7yxSsYIw0vGF3Z4mxxQGnJZ1tkyjE0Er/i:yWmiqGyMk6bkf4PoQmXHnJftkyYBgFP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4644	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	38ce27d4fcfdb5e4130f76efed3f2ed4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ravdll.dll	38ce27d4fcfdb5e4130f76efed3f2ed4.exe
File opened for modification	C:\Windows\ravdll.dll	38ce27d4fcfdb5e4130f76efed3f2ed4.exe
File created	C:\Windows\uninstal.bat	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe
1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3472	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	49
PID 1628 wrote to memory of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91
PID 1628 wrote to memory of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91
PID 1628 wrote to memory of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91
PID 1628 wrote to memory of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91
PID 1628 wrote to memory of 1984	1628	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	91
PID 1984 wrote to memory of 4644	1984	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	92
PID 1984 wrote to memory of 4644	1984	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	92
PID 1984 wrote to memory of 4644	1984	38ce27d4fcfdb5e4130f76efed3f2ed4.exe	92
PID 4644 wrote to memory of 3548	4644	1.exe	97
PID 4644 wrote to memory of 3548	4644	1.exe	97
PID 4644 wrote to memory of 3548	4644	1.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\38ce27d4fcfdb5e4130f76efed3f2ed4.exe
  "C:\Users\Admin\AppData\Local\Temp\38ce27d4fcfdb5e4130f76efed3f2ed4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\38ce27d4fcfdb5e4130f76efed3f2ed4.exe
    C:\Users\Admin\AppData\Local\Temp\38ce27d4fcfdb5e4130f76efed3f2ed4.exe
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
        5⤵
        
        PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
757KB

MD5
0ee95abe3e2c85b29c063631a8637de4

SHA1
3abebbc044e4a6e05c31073db05c7831bedd53ce

SHA256
81e9410ed3a51bd0dcf0b31e7e95e674a1b5877cfae6e75973b7db118f5bb196

SHA512
5e38f2fe0388e69cfb285e349b1f8b5ce962bb2af1d8ec63c152ec380a434e4ba4e759b76f2b6eded4bba680e77138dace862a87b557e74d2f5ae3819c9b581c

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
38abcb0e3e0290b7fd102ede63184294

SHA1
db5ea8b475b211779aee0ceaec4e7d389195b899

SHA256
7c31d1ad068fa0fd74158b9855f4bc8ec2467875bd74e3f8272df986c51166b7

SHA512
5c52f1692419d02d50f1296251aba070a7829e63fa88fd4f9b9e15e488e4be9de69240b5fa3a721c41a644851ea28418cbb1f90492b2d57d689e051faeafdd22

Download Submit
memory/1628-0-0x0000000010000000-0x00000000100CC000-memory.dmp

Filesize
816KB

Download
memory/1628-1-0x00000000020A0000-0x00000000020F4000-memory.dmp

Filesize
336KB

Download
memory/1628-2-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1628-26-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1628-25-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1628-24-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1628-23-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1628-22-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1628-21-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1628-20-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1628-19-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1628-18-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1628-17-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1628-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1628-15-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1628-14-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1628-27-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1628-13-0x0000000003270000-0x0000000003272000-memory.dmp

Filesize
8KB

Download
memory/1628-12-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1628-11-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/1628-10-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1628-9-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1628-8-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1628-5-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1628-4-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1628-3-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1628-28-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1628-29-0x0000000003260000-0x0000000003262000-memory.dmp

Filesize
8KB

Download
memory/1628-30-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-31-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-32-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-33-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-34-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-35-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-36-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-37-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-38-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-39-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1628-40-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1628-41-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1628-42-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1628-43-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1628-44-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1628-45-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1628-46-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1628-47-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1628-50-0x0000000010000000-0x00000000100CC000-memory.dmp

Filesize
816KB

Download
memory/1628-51-0x00000000020A0000-0x00000000020F4000-memory.dmp

Filesize
336KB

Download
memory/1984-48-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/1984-52-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/1984-53-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/1984-61-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/1984-67-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download
memory/4644-59-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4644-60-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download