1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-01-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

706fc7ab5c6b9ef616acfd3add700e44.exe
Size

886KB
MD5

706fc7ab5c6b9ef616acfd3add700e44
SHA1

d4cfb9750c6e4a7a44be3710bc94fa0fbb53ccf4
SHA256

1c5975dd72f461fbc184364d27f711642fc693552bb0422477f60020e1139ea9
SHA512

32b6d7947fee7ad02de23bcbf97a8d838934c700bab3cec525fa45e340564a665b00f5212faeec056cdbbd592bc7f6bf2053c6d24bd8be35c134aed82d623012
SSDEEP

24576:2ryfpDG1m7JGVrFoh8I7UFHxW9ugDH3VH/SVTiZsCfonnV:vff7gVrFG8ZHUH/KGG

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

RADMIR~1.EXERADMIR~1.EXE

pid	Process
3056	RADMIR~1.EXE
2476	RADMIR~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	706fc7ab5c6b9ef616acfd3add700e44.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org
5	api.ipify.org
7	api.ipify.org

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RADMIR~1.EXERADMIR~1.EXE

description	pid	Process
Token: SeDebugPrivilege	3056	RADMIR~1.EXE
Token: SeDebugPrivilege	2476	RADMIR~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

706fc7ab5c6b9ef616acfd3add700e44.exe

description	pid	Process	procid_target
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	28
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	28
PID 2548 wrote to memory of 3056	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	28
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	30
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	30
PID 2548 wrote to memory of 2476	2548	706fc7ab5c6b9ef616acfd3add700e44.exe	30

C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe
"C:\Users\Admin\AppData\Local\Temp\706fc7ab5c6b9ef616acfd3add700e44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE

Filesize
367KB

MD5
dc5925896158f0cd00083cbd156ada1e

SHA1
01909aeee19c8788617c873308893a6d786edec3

SHA256
d233f69cbcaf5a9bed570180c3c83d3b08a97fd389c35578fa4421c6e07e825f

SHA512
85d59b8202eb22a96c40c085b00e3c87d4ec7ca369bfeb02230957b761d8504d234d3ec398bc3c1286da9cb41e84c7165e0595646011826b3756a564db90d02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RADMIR~1.EXE

Filesize
1.0MB

MD5
61428600669d9269e67295b60e838a17

SHA1
772f57f7db551213216953d2d47f437466a14e4d

SHA256
0a9c1a95bb9699115a7821e1508ce6ae751d9485fa5f6a33b45f16822cfa520a

SHA512
b1f1076090d355fa5755c850c29bee5c9c246127cab1f338411af5ded84df732efdff06be1accee42d052eb268d56aeb785b9e5824b578e7121c009bda0975be

Download Submit
memory/2476-11-0x0000000000D30000-0x0000000000E3A000-memory.dmp

Filesize
1.0MB

Download
memory/2476-12-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/2476-13-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/2476-14-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-5-0x0000000000950000-0x0000000000A5A000-memory.dmp

Filesize
1.0MB

Download
memory/3056-6-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-8-0x00000000021A0000-0x0000000002216000-memory.dmp

Filesize
472KB

Download
memory/3056-7-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/3056-9-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download