a4e4e343cf8b6023977421175f1787a4b01eddfcfe7b142b2cbdcff079315b16

Analysis

max time kernel
2s
max time network
171s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
Size

1.9MB
MD5

0c6af8ca5ace541a278647550954406b
SHA1

af114a253494f59e91011d854a3c2f0c12f58198
SHA256

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339
SHA512

047094710f62caea9b63d65cf8894d17490bf0e2366dd0fd141f2a88a9a6a9f7d14f99d8e935f047a6b1896c8f36061bea5568c7d95e9fcb14816096cd9287b0
SSDEEP

49152:Ju5z1o02R2cFB3gwqQXSjewyeCx/DLO7b8Zf05yPmsn:ME03yB3gwqqSKbWe8IN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	2VW7324.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
2708	2VW7324.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000012281-4.dat	autoit_exe
behavioral1/files/0x0009000000012281-9.dat	autoit_exe
behavioral1/files/0x0009000000012281-8.dat	autoit_exe
behavioral1/files/0x0009000000012281-7.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1096	schtasks.exe
1900	schtasks.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	2VW7324.exe
2708	2VW7324.exe
2708	2VW7324.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2708	2VW7324.exe
2708	2VW7324.exe
2708	2VW7324.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2320 wrote to memory of 2708	2320	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	28
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2856	2708	2VW7324.exe	29
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2720	2708	2VW7324.exe	31
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30
PID 2708 wrote to memory of 2672	2708	2VW7324.exe	30

C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
"C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    PID:2856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
      4⤵
      PID:2688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
    3⤵
    PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
      4⤵
      PID:2576
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
    3⤵
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
      4⤵
      PID:2504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
386KB

MD5
e7663d54a81c5f33339ffca6724374e2

SHA1
dcc52c1e48ff8313ea26de5ac1f0516b292499b3

SHA256
65d2f4f4b871032e4ac9998862482cb12cd8cdf720bdc816cd9916a91f5d4927

SHA512
fbe58144f8e6f10cc9bf9cad08be8124538a0e4c093378ff749901eff6c4daf7dda34b295e69916ddb87cc9ef203fc3cda40d75f48fee8d4045605f72673814b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
382KB

MD5
595ca30543e5c3e53006bb3ee2013a20

SHA1
8b0166a29407939d83173178ccce8d32644d7188

SHA256
7d1cd371f45a29c76146fed608a3dbc73446ee36b3d0bf144ee854f37b0d4924

SHA512
0dffa8006af2410fc5af40f4bec5a4c7800c169cb787d4e539291ee917234478ee812fe78499a32808907332c93e51dfaa7a7a8f4601e5a742a96477145fc5a6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
92KB

MD5
a4fc893a76d2a6a210fb3eeb48026ea3

SHA1
0a4ca4a9932ba6c491bed256ef2b5cfaf5437aca

SHA256
fa58959a2d56a827419e7c256cbaeddd5bc18600babee170c1c8645dc2e01dd8

SHA512
7eac3fbf2fd6373a3e63412230f67d4486f39ca70a63a8cb1a9270bee74e233d38255a21de409a3ca6980e3ae413d9b14cab4d4c7d983e0747990e4eaec19c6b

Download Submit
memory/816-145-0x000000006DCE0000-0x000000006E28B000-memory.dmp

Filesize
5.7MB

Download
memory/816-200-0x000000006DCE0000-0x000000006E28B000-memory.dmp

Filesize
5.7MB

Download
memory/816-165-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/2084-838-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1274-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-18-0x0000000001100000-0x000000000155E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-17-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-207-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2084-254-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1280-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-454-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-527-0x0000000001100000-0x000000000155E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-533-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-630-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2084-641-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-824-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1279-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-840-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-879-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-21-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1275-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1276-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1277-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2084-1278-0x0000000000110000-0x000000000056E000-memory.dmp

Filesize
4.4MB

Download
memory/2320-16-0x0000000002620000-0x0000000002A7E000-memory.dmp

Filesize
4.4MB

Download
memory/2320-363-0x0000000002620000-0x0000000002A7E000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads