16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89759ff8befbf5d841e10aab7d60ccb8.exe
Size

221KB
MD5

89759ff8befbf5d841e10aab7d60ccb8
SHA1

28d243ecf7f97c31a289f3f998861113b5a9d435
SHA256

16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940
SHA512

3efa3cdc266aae25d72b8c316d25d3ebbea02eb27306d330075b4aa53457608d2c53a25825ece310b8d8568d21fe7b93f0e0e5f73017a7612c3e69ffbf384e66
SSDEEP

3072:bqEH+GiEs2SMylNOjyFbxJr5qojW5SiUSv7q2reaSkJ+naWUnBgq9LIK7FskG8oD:OsehzRFxC5SiVLSa5JGFsZs2JKpW4gw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2652	QVODSE~1.EXE
2712	Setup8.exe
2784	cffmuctb.exe

Loads dropped DLL 11 IoCs

pid	Process
2208	89759ff8befbf5d841e10aab7d60ccb8.exe
2208	89759ff8befbf5d841e10aab7d60ccb8.exe
2652	QVODSE~1.EXE
2208	89759ff8befbf5d841e10aab7d60ccb8.exe
2712	Setup8.exe
2116	cmd.exe
2712	Setup8.exe
2712	Setup8.exe
2116	cmd.exe
2784	cffmuctb.exe
2784	cffmuctb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89759ff8befbf5d841e10aab7d60ccb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	cffmuctb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cffmuctb.exe	QVODSE~1.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2652	QVODSE~1.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2712	Setup8.exe
2712	Setup8.exe
2712	Setup8.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2712	Setup8.exe
2712	Setup8.exe
2712	Setup8.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2208 wrote to memory of 2652	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	28
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2652 wrote to memory of 2116	2652	QVODSE~1.EXE	29
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2208 wrote to memory of 2712	2208	89759ff8befbf5d841e10aab7d60ccb8.exe	31
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32
PID 2116 wrote to memory of 2784	2116	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8.exe
"C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\cffmuctb.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\cffmuctb.exe
      C:\Windows\system32\cffmuctb.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cffmuctb.exe

Filesize
49KB

MD5
9f8ff0afc4967c39cf43d014acdaac97

SHA1
ef699bc0b7a3d280420c5fdb9f3274c6730d42da

SHA256
cbaee1978832a44c0e8cfef854192f0d507de1e44d9190c9e615ee35be11ab1e

SHA512
41324155f5b87a1c62af8f807578fa598c5de1d54561771663c44ea22d5322e54437881ef0d361d3d939be1e57feb9171f7038ed1d02e484bc838c251116b5bf

Download Submit
\Users\Admin\AppData\Local\Temp\33EC.tmp

Filesize
606KB

MD5
c03e335e1601de1921ad4e0a55074cc8

SHA1
f61b0537cfca018ea2db4496e10ad54ff6df1e9a

SHA256
ff39718add4b57aa318ecbfbafac8f17b3f5c1548023d06c48e5b2e03536f0c3

SHA512
4fd56845e2130b0438c721957da536c3c273135398387d6baea51b6e08b0ac3059d12d8cd7eb2aa3be7320019c0651cb545c32dacd37a0c49bae3634fc7f03f1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE

Filesize
125KB

MD5
8200d8aa567e728a8b9a303f717f771a

SHA1
a4c3fa13847873e27ca4459cc5db972b6e043468

SHA256
a9ff33fa335035d12169c85a711f8f8875743d88a9c0807f5668028601eba806

SHA512
eab1ad28df174b3750c4747909a1f52dabcd714d05a5665d8058040cda172d1f50dc17379e2da451553f2ee9d1aa5b84003926598c3bba4c8aaf0e15c96851c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe

Filesize
297KB

MD5
e6859c9a14016562fd6b7a4fc2d063f0

SHA1
d103b8185bc56fbc86aa0a110b022d5801552cc0

SHA256
9ab7142e21013ada234c176b57684547e1e55570b5cde694f08f7e497c0e2fb7

SHA512
38c24f9685adcad166e57f1ccc15a45c9267b14f313151ed1ff434633705d7435a73b6a00369c2e9b5c50573d64809111940c59b1ff4ba185e03f92d32fb8868

Download Submit
memory/2712-30-0x0000000003700000-0x0000000003904000-memory.dmp

Filesize
2.0MB

Download
memory/2712-31-0x0000000003700000-0x0000000003904000-memory.dmp

Filesize
2.0MB

Download