Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
706fc7ab5c6b9ef616acfd3add700e44.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
706fc7ab5c6b9ef616acfd3add700e44.exe
Resource
win10v2004-20231215-en
General
-
Target
706fc7ab5c6b9ef616acfd3add700e44.exe
-
Size
886KB
-
MD5
706fc7ab5c6b9ef616acfd3add700e44
-
SHA1
d4cfb9750c6e4a7a44be3710bc94fa0fbb53ccf4
-
SHA256
1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9
-
SHA512
32b6d7947fee7ad02de23bcbf97a8d838934c700bab3cec525fa45e340564a665b00f5212faeec056cdbbd592bc7f6bf2053c6d24bd8be35c134aed82d623012
-
SSDEEP
24576:2ryfpDG1m7JGVrFoh8I7UFHxW9ugDH3VH/SVTiZsCfonnV:vff7gVrFG8ZHUH/KGG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3056 RADMIR~1.EXE 2476 RADMIR~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 706fc7ab5c6b9ef616acfd3add700e44.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org 7 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3056 RADMIR~1.EXE Token: SeDebugPrivilege 2476 RADMIR~1.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2548 wrote to memory of 3056 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 28 PID 2548 wrote to memory of 3056 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 28 PID 2548 wrote to memory of 3056 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 28 PID 2548 wrote to memory of 2476 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 30 PID 2548 wrote to memory of 2476 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 30 PID 2548 wrote to memory of 2476 2548 706fc7ab5c6b9ef616acfd3add700e44.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe"C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD5dc5925896158f0cd00083cbd156ada1e
SHA101909aeee19c8788617c873308893a6d786edec3
SHA256d233f69cbcaf5a9bed570180c3c83d3b08a97fd389c35578fa4421c6e07e825f
SHA51285d59b8202eb22a96c40c085b00e3c87d4ec7ca369bfeb02230957b761d8504d234d3ec398bc3c1286da9cb41e84c7165e0595646011826b3756a564db90d02a
-
Filesize
1.0MB
MD561428600669d9269e67295b60e838a17
SHA1772f57f7db551213216953d2d47f437466a14e4d
SHA2560a9c1a95bb9699115a7821e1508ce6ae751d9485fa5f6a33b45f16822cfa520a
SHA512b1f1076090d355fa5755c850c29bee5c9c246127cab1f338411af5ded84df732efdff06be1accee42d052eb268d56aeb785b9e5824b578e7121c009bda0975be