Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
c72179667210699354ef006490f34f83.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c72179667210699354ef006490f34f83.exe
Resource
win10v2004-20240226-en
General
-
Target
c72179667210699354ef006490f34f83.exe
-
Size
92KB
-
MD5
c72179667210699354ef006490f34f83
-
SHA1
b9da701d3675eca3d1c6282c88f3b6eb1fe78a18
-
SHA256
0e1de5b5f3367392cba8b6ae93c503a661a706ba279cb15718f4731480694d9d
-
SHA512
49d2ebb93c060b503c8fa222a32630040a9e2ef0d712352e9c48ebe538c9b51eab98748dc4be2cc1fe16de0714a62730678cf7464b9865cf655a503052dee751
-
SSDEEP
1536:R5neEhlcTW5sk1Ptf2XbWINndIcN6JqCs5grSXCaWX3o6xjgPzj6X70f0R:bnj9PtfUKINndIc0JY5XSZX44jgPzPfa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1132 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c72179667210699354ef006490f34f83.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1132 server.exe 1132 server.exe 1132 server.exe 1132 server.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1192 wrote to memory of 1132 1192 c72179667210699354ef006490f34f83.exe 87 PID 1192 wrote to memory of 1132 1192 c72179667210699354ef006490f34f83.exe 87 PID 1192 wrote to memory of 1132 1192 c72179667210699354ef006490f34f83.exe 87 PID 1132 wrote to memory of 3352 1132 server.exe 56 PID 1132 wrote to memory of 3352 1132 server.exe 56 PID 1132 wrote to memory of 3352 1132 server.exe 56 PID 1132 wrote to memory of 3352 1132 server.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\c72179667210699354ef006490f34f83.exe"C:\Users\Admin\AppData\Local\Temp\c72179667210699354ef006490f34f83.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\server.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD54b818e975f37d13e27aa9e7fec7a3c2a
SHA131c4c4261a17fbefca336062f48e7c6537ab30d5
SHA256c08386ecdaec2f4b0fd82b934d5a87413e8dcc212df49874817296ce74fdd9c8
SHA51295a9d3fea5288a74f56a068393253ab7bf8903591156c454b8a008192c2e6a4c025f35d0d2cd5d579ff210c27ba2f4171abd3a9c2c750516a397b23dc5bd8e77