6f5ad0b7e7f4e34683b49c991bcaa62f904c952af257be0f107b1ced677599c8

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cc69e46c69e9bab68f066dc3c46364.exe
Size

114KB
MD5

c6cc69e46c69e9bab68f066dc3c46364
SHA1

10efe0d80833db8c67dae2d799fa5fdeb95c6b26
SHA256

6f5ad0b7e7f4e34683b49c991bcaa62f904c952af257be0f107b1ced677599c8
SHA512

de07c58e5859c3038d1a61b075c8feeae89f8366e3065f9d93a0de1fb65728a300a7519053398037c176e3388933e86fad2897adaa9217c18336b52fbb832709
SSDEEP

1536:M5neEhlcTW5sk1itf2XYWINndIcN6J4hxZXYPeBCNE+54sMFyn9RiV/lxwVXfS:qnj9itfUNINndIc0J4WO0D4QqV/vR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1524	Keygen.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	c6cc69e46c69e9bab68f066dc3c46364.exe
2980	c6cc69e46c69e9bab68f066dc3c46364.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6cc69e46c69e9bab68f066dc3c46364.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1524	2980	c6cc69e46c69e9bab68f066dc3c46364.exe	28
PID 2980 wrote to memory of 1524	2980	c6cc69e46c69e9bab68f066dc3c46364.exe	28
PID 2980 wrote to memory of 1524	2980	c6cc69e46c69e9bab68f066dc3c46364.exe	28
PID 2980 wrote to memory of 1524	2980	c6cc69e46c69e9bab68f066dc3c46364.exe	28

C:\Users\Admin\AppData\Local\Temp\c6cc69e46c69e9bab68f066dc3c46364.exe
"C:\Users\Admin\AppData\Local\Temp\c6cc69e46c69e9bab68f066dc3c46364.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe

Filesize
50KB

MD5
ef28adbf18b384470acd79435c17d2eb

SHA1
9f5bebaf3f3b89267c9c8111459d8b28ac9c1b1a

SHA256
9b479e5ee2af6b562025c825d0ec39b6cb90db2401f040d0f03858819a04f621

SHA512
c31fa071ebe850f8e032a1c2f0b0cb87aeaae2359ef14c4a8e699097e001f3181201823fa743809354a4ece1a071fdaf5d5bb2eb902aec01892943ee68907c38

Download Submit
memory/1524-21-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-30-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-15-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/1524-12-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-16-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-20-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-18-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-19-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-31-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-29-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-24-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-23-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-22-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-25-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-26-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-27-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/1524-28-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/2980-17-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/2980-13-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download
memory/2980-11-0x000000000FFF0000-0x0000000010033000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads