90651dbcde7876e2f5cf1e5a4af933087bddea6c5e5b253c305bc6dd254ed9c2

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 06:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66f439f5359bcb352e88ed4d1551512b.exe
Size

133KB
MD5

66f439f5359bcb352e88ed4d1551512b
SHA1

3883229e86eda5836c81b9cf8f8f88b675d49326
SHA256

90651dbcde7876e2f5cf1e5a4af933087bddea6c5e5b253c305bc6dd254ed9c2
SHA512

c64fa230f30210f9837cb3eb16c892931026747aa435bccd95e44cbe5494b3b98acb93c71b35f193f352b3873a5b46f83596faa512e629b08b5017980746d3f5
SSDEEP

3072:/nj9StfUFINndIc0JlY/SBWR+1bgTAsENFYRYk:/jTeiqE0AsEYRYk

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3560	Keygen.EXE
220	sysup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66f439f5359bcb352e88ed4d1551512b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sysup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 3560	3416	66f439f5359bcb352e88ed4d1551512b.exe	87
PID 3416 wrote to memory of 3560	3416	66f439f5359bcb352e88ed4d1551512b.exe	87
PID 3416 wrote to memory of 3560	3416	66f439f5359bcb352e88ed4d1551512b.exe	87
PID 3416 wrote to memory of 220	3416	66f439f5359bcb352e88ed4d1551512b.exe	86
PID 3416 wrote to memory of 220	3416	66f439f5359bcb352e88ed4d1551512b.exe	86
PID 3416 wrote to memory of 220	3416	66f439f5359bcb352e88ed4d1551512b.exe	86

C:\Users\Admin\AppData\Local\Temp\66f439f5359bcb352e88ed4d1551512b.exe
"C:\Users\Admin\AppData\Local\Temp\66f439f5359bcb352e88ed4d1551512b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sysup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sysup.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE
  2⤵
  - Executes dropped EXE
  PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE

Filesize
16KB

MD5
b3a6b87904e40d9bbfa78dd58be61294

SHA1
9eb27984209b990be278111c4406b7daca7093f6

SHA256
d375fdd354d43bad469fca885aaef556ed0568cdca356076e0423abb885392a7

SHA512
4c1c8d7047ca0289fb2852b55c9c4ec682ae40e04ef29f75dc865826ee40c8a1717e28ffcc5c54722333d14d83dda0fe248623e32178cb2686427b59c4e089c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sysup.exe

Filesize
100KB

MD5
115889190848ecee20e010dd63fdcfca

SHA1
ddd4f5ef46af9d275af0f42b59ca8d05ae04ad63

SHA256
49f4888c58c7c608e00d516d450597cd31e9c6ac04be18e57ed1e6ce52543937

SHA512
0ece8f7ace741d64d602dcdaf6899ce086e0b77f0cac2fd110058ddf1c45f720c7237c1e53c395923acfcbc4752f7523cfc644f8379b1ac440e207dd006f38aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads