f12976d4ae81006831f829ab61a04f6f250028bf1bb532a08141f58ef3d64e8e

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dde9515c33a895f63f8d24a2c3d7ce9.exe
Size

317KB
MD5

7dde9515c33a895f63f8d24a2c3d7ce9
SHA1

b9933a86523c5adc729a07a1053b72ff9d503e89
SHA256

f12976d4ae81006831f829ab61a04f6f250028bf1bb532a08141f58ef3d64e8e
SHA512

b0680fdb57aa4262a2519d6b069a674abdb4a9bf9e56fade0b152c037aeb5c4c43fc7f4f26a76d9c69af4899596be861f198454fa54b549c9c6d9041184b18a9
SSDEEP

6144:YjDeiYYt/wS9ZNWXAM52m1Mh4Z4jARHKsx5p6d+jHT74giqWekH:YmdM/J9KlC2Z42jOSEekH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	Keygen.EXE

Loads dropped DLL 2 IoCs

pid	Process
2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe
2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7dde9515c33a895f63f8d24a2c3d7ce9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2660	2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe	28
PID 2864 wrote to memory of 2660	2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe	28
PID 2864 wrote to memory of 2660	2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe	28
PID 2864 wrote to memory of 2660	2864	7dde9515c33a895f63f8d24a2c3d7ce9.exe	28

C:\Users\Admin\AppData\Local\Temp\7dde9515c33a895f63f8d24a2c3d7ce9.exe
"C:\Users\Admin\AppData\Local\Temp\7dde9515c33a895f63f8d24a2c3d7ce9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE
  2⤵
  - Executes dropped EXE
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.EXE

Filesize
52KB

MD5
fe2fa492c4e7f833366b88c22c545561

SHA1
2181d3364bf0fa6f946d493e91cfb606eafe4bb1

SHA256
327df5af086f1d0346a5675c70ada4a711c1e5778d48dc76065b3f092260249e

SHA512
544c0eb57f80a6ca72b770db2a1e1ace856c11c2d2bd3d46b33411e8b921d533b728b681486e8e5e9fa1f1998301213c964f5d0a1d6188af455d556b8cdb5c43

Download Submit
memory/2660-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads