c6fca3de6992d02c7209b3a5b78b3e7f2c5c3f7a5b2bc95adf16532bed95d517

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ab4c65c593d28db7a4d7595041367a.exe
Size

120KB
MD5

c4ab4c65c593d28db7a4d7595041367a
SHA1

108088f776cac29ef9d174926e43555b2bd7002b
SHA256

c6fca3de6992d02c7209b3a5b78b3e7f2c5c3f7a5b2bc95adf16532bed95d517
SHA512

cf4dca2e1f0f341e4315a2e8fe5641c24a769e7440cd5249e4d6b3539fdb053eba09ce3a0f9c75606cf8549bcf3f98598740a45b91e31557b9b7768f97d8747f
SSDEEP

3072:VGu9BlfzWIbXWm+w0Jm5PscfFFQKbKTjf4tiRaiD0:V/0uo0IKbIgti+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4896	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4ab4c65c593d28db7a4d7595041367a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 4896	2108	c4ab4c65c593d28db7a4d7595041367a.exe	86
PID 2108 wrote to memory of 4896	2108	c4ab4c65c593d28db7a4d7595041367a.exe	86
PID 2108 wrote to memory of 4896	2108	c4ab4c65c593d28db7a4d7595041367a.exe	86

C:\Users\Admin\AppData\Local\Temp\c4ab4c65c593d28db7a4d7595041367a.exe
"C:\Users\Admin\AppData\Local\Temp\c4ab4c65c593d28db7a4d7595041367a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
  2⤵
  - Executes dropped EXE
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
73KB

MD5
0e62a3f2c914f1a6e61f0ce590c31bb8

SHA1
519e8b34f9358c7dddf6ba04029ef324ff711b5d

SHA256
4b7ab4b29354e4efcda73df1692d156aa3f1f663df876ff07383a12b9799330a

SHA512
c85730babbd83047e1bc904b8d65d9ba28682bcd4f5fba109227726a5bc0e05689c73b7b83ba1bc829d7f1986880c9c6606b1e348bde1d70bf0700a6db55f5bc

Download Submit
memory/4896-4-0x0000000000400000-0x0000000000406600-memory.dmp

Filesize
25KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads