6adeb5f78a223c558b233b3474f4c65a993f61895f2a2b176b1a38c76d6a8522

Analysis

max time kernel
125s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7324f00bd75b6feb0fae0783c2fb6c15.exe
Size

691KB
MD5

7324f00bd75b6feb0fae0783c2fb6c15
SHA1

f68d0b69134fe33c2131706338ff7135a5197519
SHA256

6adeb5f78a223c558b233b3474f4c65a993f61895f2a2b176b1a38c76d6a8522
SHA512

8f2817a0a18ca37a08b6fdfb5c24501f420daddf848f77eaccae1bf50a292171491beb9efc7104d02885fc0bddec1c6e85887f8426dadce80ac068737ab9bdba
SSDEEP

12288:UTHxGNKvvQtEXh4FarF7Uz0bBMOzr9zF3Z4mxxUDqVTVOC7:UTHxGNKIZF+F4zciO1zQmXDVTz7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4692	5.exe
4472	win32.ini

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7324f00bd75b6feb0fae0783c2fb6c15.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\win32.ini	5.exe
File opened for modification	C:\Windows\win32.ini	5.exe
File created	C:\Windows\uninstal.bat	5.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	win32.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	win32.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	win32.ini
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	win32.ini
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	win32.ini

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	5.exe
Token: SeDebugPrivilege	4472	win32.ini

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4472	win32.ini

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4692	4968	7324f00bd75b6feb0fae0783c2fb6c15.exe	87
PID 4968 wrote to memory of 4692	4968	7324f00bd75b6feb0fae0783c2fb6c15.exe	87
PID 4968 wrote to memory of 4692	4968	7324f00bd75b6feb0fae0783c2fb6c15.exe	87
PID 4472 wrote to memory of 4864	4472	win32.ini	90
PID 4472 wrote to memory of 4864	4472	win32.ini	90
PID 4692 wrote to memory of 2176	4692	5.exe	96
PID 4692 wrote to memory of 2176	4692	5.exe	96
PID 4692 wrote to memory of 2176	4692	5.exe	96

C:\Users\Admin\AppData\Local\Temp\7324f00bd75b6feb0fae0783c2fb6c15.exe
"C:\Users\Admin\AppData\Local\Temp\7324f00bd75b6feb0fae0783c2fb6c15.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
    3⤵
    PID:2176

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
1⤵
PID:4864

C:\Windows\win32.ini
C:\Windows\win32.ini
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
57KB

MD5
330b07528de119334815fc621e3c3cd9

SHA1
1ad93ee6dd5415a4d4ac758ea2215d088b03be63

SHA256
d395c1851ba76496bf4bdc606f51103acd837b906daae8a124623ece0e2467ae

SHA512
f4f1a4bd6f60cd18d0df9846ca9b8ffab8859d0c0538d88cf0cecbb23bbf2c0d41a7c4b7bb0263f1e6cd3181379a45386e1e1bad66851b9dbf0c46385b5213a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

Filesize
17KB

MD5
a8ac2e681427eec809f7e06839043f48

SHA1
c36a37eaf6818082da6a8de806da8035fc4f00c8

SHA256
0bee3b033760ab2b99a89558311cea2ef2eef1d677707f85a6b7e9e02351e78d

SHA512
9327a5df3a126ef577d3ee4d0fa3849d484970170fe8f46dafebe9287e67e29f43f7cb6c256f10669266da79fa84c8dbdcc31e99fb6cd7f279881a79be0bc1f0

Download Submit
C:\Windows\uninstal.bat

Filesize
150B

MD5
72f9d376b476a7a6936991161cfeb888

SHA1
ea53941d2d65213eed7aac7f29f897ecdb34344f

SHA256
061cf610c4430e21066e13c91c49e6885cdcb24501095f1f8839e82d3a1d6a02

SHA512
543f9178e376d60544d75981c259bbb4ab603411febb991507c25ddb904bf6e934d05173de5632823d53aaee13ee6f8a623179b26d8a6d134104d47e9dbaeaf5

Download Submit
C:\Windows\win32.ini

Filesize
92KB

MD5
9eca59f7b5a59a90c92dd3c9a81f1ae3

SHA1
55a652e1d85eb6d2ecfe57d31a905492b32643d9

SHA256
3e543faf1b0c6a06442fa20937135bc458eb64a84bad6b114bee7616b8580130

SHA512
29a25daed93ebe0906e1ddeb222ebae2a8cd4e7c722f8a7c09a727cf0e4d4e817996c784999861cbec6e82821798debccf908295a87beafc035c147a82c70f08

Download Submit
C:\Windows\win32.ini

Filesize
798KB

MD5
548cae355cbc569066fa168ce14252ed

SHA1
3c9a20dcbfccb8d1ec74dd82bb869c9e43ab9c6e

SHA256
9b67a8aefd0df28dc645d75036a9cee451e7285cd8816abcf0e98afb733470bc

SHA512
4f51a1d9c9b12ec137025560796d0095d1a78798adc1b0bbbabc487c24891d795ded11aeb2fb2c8485217bc48ac77e1ce8c9e872ade87745962fcda337a6d611

Download Submit
memory/4692-78-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4968-45-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-62-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-15-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-14-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-16-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-41-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-13-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-19-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-26-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-32-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-53-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-57-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-63-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-40-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-61-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/4968-60-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4968-59-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-58-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-56-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-55-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-54-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-52-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-51-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-50-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-49-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-39-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-47-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-46-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-1-0x0000000000680000-0x00000000006D4000-memory.dmp

Filesize
336KB

Download
memory/4968-44-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-43-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-42-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-17-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-4-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4968-48-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-38-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-37-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-36-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-35-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-34-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-33-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-31-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-30-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-29-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-28-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-27-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-25-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-24-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-23-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-22-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-21-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-20-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-18-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-12-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-11-0x0000000003150000-0x000000000316B000-memory.dmp

Filesize
108KB

Download
memory/4968-10-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4968-9-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4968-8-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4968-7-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4968-6-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4968-5-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4968-3-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4968-2-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4968-79-0x0000000001000000-0x0000000001113000-memory.dmp

Filesize
1.1MB

Download
memory/4968-0-0x0000000001000000-0x0000000001113000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads