00e74582c6ffe11659a6163406a14fc27f9d01799f8ed3a40b5d1dd51b57f4a9

Analysis

max time kernel
93s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f37f23926f78c90219eb4a9aacd259.exe
Size

698KB
MD5

64f37f23926f78c90219eb4a9aacd259
SHA1

76857b1dede867013abf85c9d93df8d503765ffc
SHA256

00e74582c6ffe11659a6163406a14fc27f9d01799f8ed3a40b5d1dd51b57f4a9
SHA512

e35a5027f618ea50514eb242b23ba72c7676c70b58582cf820bbca466b8ce1b7d21a0856e4bd3099e269aeecee632b65e38e3787a9621d8bec87333d2d894517
SSDEEP

12288:5ojj7vuD4/rUWTxUra4SxkGG0YwHt4J7B0Za9A42EF3Z4mxxJaVk0tMgnOnfGT:87vNX6a4SVv07B0E9R1QmXJYR+nfGT

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3916	SERVER~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"F:\\msdownld.tmp\\IXP000.TMP\\\""	64f37f23926f78c90219eb4a9aacd259.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	64f37f23926f78c90219eb4a9aacd259.exe
File opened (read-only)	\??\B:	64f37f23926f78c90219eb4a9aacd259.exe
File opened (read-only)	\??\E:	64f37f23926f78c90219eb4a9aacd259.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	3916	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3916	1680	64f37f23926f78c90219eb4a9aacd259.exe	85
PID 1680 wrote to memory of 3916	1680	64f37f23926f78c90219eb4a9aacd259.exe	85
PID 1680 wrote to memory of 3916	1680	64f37f23926f78c90219eb4a9aacd259.exe	85

C:\Users\Admin\AppData\Local\Temp\64f37f23926f78c90219eb4a9aacd259.exe
"C:\Users\Admin\AppData\Local\Temp\64f37f23926f78c90219eb4a9aacd259.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1680
- F:\msdownld.tmp\IXP000.TMP\SERVER~1.EXE
  F:\msdownld.tmp\IXP000.TMP\SERVER~1.EXE
  2⤵
  - Executes dropped EXE
  PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 544
    3⤵
    - Program crash
    PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3916 -ip 3916
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\msdownld.tmp\IXP000.TMP\SERVER~1.EXE

Filesize
68KB

MD5
a2be6dde12855da0a9956d9ccdddf6d4

SHA1
4321d4d877d48f873ea80fd9fe12966d7801823b

SHA256
dd2ad3cd4b80723299bfd7ef9b0d5e9882ad5781865630d2513d19b843a94b01

SHA512
c2bcfab854ebb699d1697b21a85b53cc8dc12ebfc6ee8e58439b4cef003f948ca4cc740576f45cf4c07045833156fd091d68f22a229d6319530611695326d687

Download Submit
F:\msdownld.tmp\IXP000.TMP\SERVER~1.EXE

Filesize
43KB

MD5
46053925498b3b833871201e9dd6d1c7

SHA1
835c15b3f06f3087a9de6c086c2aabd077bc5a03

SHA256
acfe2df1ffd7ad9a5a8b1fdcef5f9a42f1820750d500dd305fc198f0bce94a81

SHA512
4ee92d29fe6b8e26479fced5a24199f436588aaca777e1830d12255bcfec52107d157146eec5f513ba814c01201daa7cf7a4cbac7afc1dd720844ce7c5b452d8

Download Submit
memory/1680-0-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1680-3-0x0000000003100000-0x0000000003103000-memory.dmp

Filesize
12KB

Download
memory/1680-7-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1680-6-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1680-2-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download
memory/1680-1-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1680-12-0x0000000001000000-0x00000000010BC000-memory.dmp

Filesize
752KB

Download
memory/1680-13-0x0000000000840000-0x0000000000894000-memory.dmp

Filesize
336KB

Download
memory/3916-11-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads