16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89759ff8befbf5d841e10aab7d60ccb8.exe
Size

221KB
MD5

89759ff8befbf5d841e10aab7d60ccb8
SHA1

28d243ecf7f97c31a289f3f998861113b5a9d435
SHA256

16bc2af45a7a3ab7adf9b369a5f5fbeba1924db09278038d3c4dfcfda1af8940
SHA512

3efa3cdc266aae25d72b8c316d25d3ebbea02eb27306d330075b4aa53457608d2c53a25825ece310b8d8568d21fe7b93f0e0e5f73017a7612c3e69ffbf384e66
SSDEEP

3072:bqEH+GiEs2SMylNOjyFbxJr5qojW5SiUSv7q2reaSkJ+naWUnBgq9LIK7FskG8oD:OsehzRFxC5SiVLSa5JGFsZs2JKpW4gw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4680	QVODSE~1.EXE
3600	Setup8.exe
2876	nniwlfaa.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	nniwlfaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89759ff8befbf5d841e10aab7d60ccb8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	nniwlfaa.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nniwlfaa.exe	QVODSE~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4680	QVODSE~1.EXE
4680	QVODSE~1.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3600	Setup8.exe
3600	Setup8.exe
3600	Setup8.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3600	Setup8.exe
3600	Setup8.exe
3600	Setup8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4680	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	84
PID 4968 wrote to memory of 4680	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	84
PID 4968 wrote to memory of 4680	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	84
PID 4680 wrote to memory of 2684	4680	QVODSE~1.EXE	85
PID 4680 wrote to memory of 2684	4680	QVODSE~1.EXE	85
PID 4680 wrote to memory of 2684	4680	QVODSE~1.EXE	85
PID 4968 wrote to memory of 3600	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	87
PID 4968 wrote to memory of 3600	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	87
PID 4968 wrote to memory of 3600	4968	89759ff8befbf5d841e10aab7d60ccb8.exe	87
PID 2684 wrote to memory of 2876	2684	cmd.exe	88
PID 2684 wrote to memory of 2876	2684	cmd.exe	88
PID 2684 wrote to memory of 2876	2684	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8.exe
"C:\Users\Admin\AppData\Local\Temp\89759ff8befbf5d841e10aab7d60ccb8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\nniwlfaa.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\nniwlfaa.exe
      C:\Windows\system32\nniwlfaa.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3E41.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE

Filesize
125KB

MD5
8200d8aa567e728a8b9a303f717f771a

SHA1
a4c3fa13847873e27ca4459cc5db972b6e043468

SHA256
a9ff33fa335035d12169c85a711f8f8875743d88a9c0807f5668028601eba806

SHA512
eab1ad28df174b3750c4747909a1f52dabcd714d05a5665d8058040cda172d1f50dc17379e2da451553f2ee9d1aa5b84003926598c3bba4c8aaf0e15c96851c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup8.exe

Filesize
297KB

MD5
e6859c9a14016562fd6b7a4fc2d063f0

SHA1
d103b8185bc56fbc86aa0a110b022d5801552cc0

SHA256
9ab7142e21013ada234c176b57684547e1e55570b5cde694f08f7e497c0e2fb7

SHA512
38c24f9685adcad166e57f1ccc15a45c9267b14f313151ed1ff434633705d7435a73b6a00369c2e9b5c50573d64809111940c59b1ff4ba185e03f92d32fb8868

Download Submit
C:\Windows\SysWOW64\nniwlfaa.exe

Filesize
49KB

MD5
9f8ff0afc4967c39cf43d014acdaac97

SHA1
ef699bc0b7a3d280420c5fdb9f3274c6730d42da

SHA256
cbaee1978832a44c0e8cfef854192f0d507de1e44d9190c9e615ee35be11ab1e

SHA512
41324155f5b87a1c62af8f807578fa598c5de1d54561771663c44ea22d5322e54437881ef0d361d3d939be1e57feb9171f7038ed1d02e484bc838c251116b5bf

Download Submit