e02ab02e92eeffa04c08b59e8d0f419a83e880f550abd09e4c98f51eb25556f3

Resubmissions

25/02/2024, 17:12

240225-vq9qasgf84 6

25/02/2024, 17:10

240225-vpyawagf65 6

Analysis

max time kernel
69s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iron5decompiler.exe
Size

154KB
MD5

2701aef8b0ac8a3e2eaf4f149be596c3
SHA1

2b6f95b404a58a23655f9101b7289a1cefcf164b
SHA256

e02ab02e92eeffa04c08b59e8d0f419a83e880f550abd09e4c98f51eb25556f3
SHA512

537e59b3e3dc87b587c81ed433fef95b3dc52f58584b3fd6fdd86d8b7dd0af5c2ba0fd6dc740c52a71a8e51e4f9441e100aac0d3214be7a1e29d08ba47f0b1e9
SSDEEP

3072:MahKyd2n31z5GWp1icKAArDZz4N9GhbkrNEk1kT:MahObp0yN90QE7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	iron5decompiler.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3544	timeout.exe
3360	timeout.exe
4216	timeout.exe
2044	timeout.exe
1144	timeout.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 896	4936	iron5decompiler.exe	86
PID 4936 wrote to memory of 896	4936	iron5decompiler.exe	86
PID 896 wrote to memory of 4072	896	cmd.exe	88
PID 896 wrote to memory of 4072	896	cmd.exe	88
PID 4072 wrote to memory of 1384	4072	cmd.exe	89
PID 4072 wrote to memory of 1384	4072	cmd.exe	89
PID 896 wrote to memory of 2688	896	cmd.exe	95
PID 896 wrote to memory of 2688	896	cmd.exe	95
PID 2688 wrote to memory of 4736	2688	cmd.exe	96
PID 2688 wrote to memory of 4736	2688	cmd.exe	96
PID 896 wrote to memory of 2896	896	cmd.exe	99
PID 896 wrote to memory of 2896	896	cmd.exe	99
PID 2896 wrote to memory of 1064	2896	cmd.exe	100
PID 2896 wrote to memory of 1064	2896	cmd.exe	100
PID 896 wrote to memory of 2692	896	cmd.exe	101
PID 896 wrote to memory of 2692	896	cmd.exe	101
PID 2692 wrote to memory of 2204	2692	cmd.exe	102
PID 2692 wrote to memory of 2204	2692	cmd.exe	102
PID 896 wrote to memory of 2452	896	cmd.exe	104
PID 896 wrote to memory of 2452	896	cmd.exe	104
PID 2452 wrote to memory of 3144	2452	cmd.exe	105
PID 2452 wrote to memory of 3144	2452	cmd.exe	105
PID 896 wrote to memory of 3544	896	cmd.exe	107
PID 896 wrote to memory of 3544	896	cmd.exe	107
PID 896 wrote to memory of 3360	896	cmd.exe	108
PID 896 wrote to memory of 3360	896	cmd.exe	108
PID 896 wrote to memory of 4216	896	cmd.exe	109
PID 896 wrote to memory of 4216	896	cmd.exe	109
PID 896 wrote to memory of 2044	896	cmd.exe	110
PID 896 wrote to memory of 2044	896	cmd.exe	110
PID 896 wrote to memory of 1144	896	cmd.exe	111
PID 896 wrote to memory of 1144	896	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\iron5decompiler.exe
"C:\Users\Admin\AppData\Local\Temp\iron5decompiler.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "iron5decompiler.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\system32\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
      4⤵
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
      4⤵
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
      4⤵
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
      4⤵
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\system32\findstr.exe
      findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat"
      4⤵
      PID:3144
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3544
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3360
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4216
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2044
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iron5decompiler.bat

Filesize
1KB

MD5
2df2237a99f9a6581bff130175e775e9

SHA1
bbca645ce2870c603ef55f3c05e18b38cfd20b48

SHA256
2f4cdf7ae69b523da388f2e8bd2cd9fc8d62d36ad9e1f9bf18b49af83229b8c2

SHA512
404fe89854335ca03efd360ed80ad196654723edf6b81af7e0f205dc078449359023027ee47e0e8bad46ccf60b061db4eedfc7083e78f6501c04dc9635c5f115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\null

Filesize
34B

MD5
37ea882f356e462d579aa4ccd8e089d6

SHA1
2b7a2179237fc17135a8a1e14439e9e272242e37

SHA256
d2cf402243a6ed040e5e51fc45c4a72da1e7db60136d54a9c84b0955faf3a4f9

SHA512
7856d7edd31ed3ed37add96b0e4377d1dee3a83f3f702093fa2375a3c27b99e5d3f5c980e8de265ab46218d9c48d172c1a9ff6781c0be013d62b1ca117396c99

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads