1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706fc7ab5c6b9ef616acfd3add700e44.exe
Size

886KB
MD5

706fc7ab5c6b9ef616acfd3add700e44
SHA1

d4cfb9750c6e4a7a44be3710bc94fa0fbb53ccf4
SHA256

1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9
SHA512

32b6d7947fee7ad02de23bcbf97a8d838934c700bab3cec525fa45e340564a665b00f5212faeec056cdbbd592bc7f6bf2053c6d24bd8be35c134aed82d623012
SSDEEP

24576:2ryfpDG1m7JGVrFoh8I7UFHxW9ugDH3VH/SVTiZsCfonnV:vff7gVrFG8ZHUH/KGG

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

RADMIR~1.EXERADMIR~1.EXE

pid process

3056 RADMIR~1.EXE
2476 RADMIR~1.EXE

pid	process
3056	RADMIR~1.EXE
2476	RADMIR~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	706fc7ab5c6b9ef616acfd3add700e44.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
7 api.ipify.org
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RADMIR~1.EXERADMIR~1.EXE

description pid process

Token: SeDebugPrivilege 3056 RADMIR~1.EXE
Token: SeDebugPrivilege 2476 RADMIR~1.EXE

flow	ioc
4	api.ipify.org
5	api.ipify.org
7	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	3056	RADMIR~1.EXE
Token: SeDebugPrivilege	2476	RADMIR~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	pid	process	target process
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	RADMIR~1.EXE

C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe
"C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
Filesize
367KB

MD5
dc5925896158f0cd00083cbd156ada1e

SHA1
01909aeee19c8788617c873308893a6d786edec3

SHA256
d233f69cbcaf5a9bed570180c3c83d3b08a97fd389c35578fa4421c6e07e825f

SHA512
85d59b8202eb22a96c40c085b00e3c87d4ec7ca369bfeb02230957b761d8504d234d3ec398bc3c1286da9cb41e84c7165e0595646011826b3756a564db90d02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
Filesize
1.0MB

MD5
61428600669d9269e67295b60e838a17

SHA1
772f57f7db551213216953d2d47f437466a14e4d

SHA256
0a9c1a95bb9699115a7821e1508ce6ae751d9485fa5f6a33b45f16822cfa520a

SHA512
b1f1076090d355fa5755c850c29bee5c9c246127cab1f338411af5ded84df732efdff06be1accee42d052eb268d56aeb785b9e5824b578e7121c009bda0975be

Download Submit
memory/2476-11-0x0000000000D30000-0x0000000000E3A000-memory.dmp

Filesize
1.0MB

Download
memory/2476-12-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-13-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/2476-14-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-5-0x0000000000950000-0x0000000000A5A000-memory.dmp

Filesize
1.0MB

Download
memory/3056-6-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-8-0x00000000021A0000-0x0000000002216000-memory.dmp

Filesize
472KB

Download
memory/3056-7-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/3056-9-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download