79fcc8d712a3abf4c61bbc1c028233ab0abdb23f4dfef90a8ced761f3cc0040b

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 10:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cdc8d30467f878d21baf759beed3e56c.exe
Size

247KB
MD5

cdc8d30467f878d21baf759beed3e56c
SHA1

79e8ba2a3f82db0c13de355164b45de431ceccf2
SHA256

79fcc8d712a3abf4c61bbc1c028233ab0abdb23f4dfef90a8ced761f3cc0040b
SHA512

6cb5871ef2bce7f4253fa76a43ace0543ca5b4c5b55dcabff5a2f58a3d63a1381114fa9bb833763410ec0cd9c64894a522632371d2fad063e22d37d7cdb0fc80
SSDEEP

6144:jeZCM6FdLfHe646vq1auXLEfi3RIWAKGwJ9W5LuwqYvZAGTEVo7+Wejj:H3FdLf+8q1rIfCvFP9lYvZ5n7+Wejj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2296	aig.EXE
2856	zmxzz.exe
2844	xzz.exe
752	svchost.exe

Loads dropped DLL 11 IoCs

pid	Process
2964	cdc8d30467f878d21baf759beed3e56c.exe
2964	cdc8d30467f878d21baf759beed3e56c.exe
2296	aig.EXE
2296	aig.EXE
2856	zmxzz.exe
2856	zmxzz.exe
2856	zmxzz.exe
2844	xzz.exe
2968	cmd.exe
2968	cmd.exe
752	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cdc8d30467f878d21baf759beed3e56c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aig.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\xzz.exe	zmxzz.exe
File created	C:\Windows\Fonts\anfagl.fon	svchost.exe
File created	C:\Windows\addins\__tmp_rar_sfx_access_check_259416090	zmxzz.exe
File created	C:\Windows\addins\svchost.exe	zmxzz.exe
File opened for modification	C:\Windows\addins\svchost.exe	zmxzz.exe
File created	C:\Windows\addins\xzz.exe	zmxzz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe
752	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	svchost.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2956 wrote to memory of 2964	2956	cdc8d30467f878d21baf759beed3e56c.exe	28
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2964 wrote to memory of 2296	2964	cdc8d30467f878d21baf759beed3e56c.exe	29
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2296 wrote to memory of 2856	2296	aig.EXE	30
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2856 wrote to memory of 2844	2856	zmxzz.exe	31
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2844 wrote to memory of 2968	2844	xzz.exe	32
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34
PID 2968 wrote to memory of 752	2968	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\cdc8d30467f878d21baf759beed3e56c.exe
"C:\Users\Admin\AppData\Local\Temp\cdc8d30467f878d21baf759beed3e56c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\cdc8d30467f878d21baf759beed3e56c.exe
  C:\Users\Admin\AppData\Local\Temp\cdc8d30467f878d21baf759beed3e56c.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aig.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aig.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zmxzz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zmxzz.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\WINDOWS\addins\xzz.exe
        
        "C:\WINDOWS\addins\xzz.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt4182.bat
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\WINDOWS\addins\svchost.exe
        
        svchost.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt4182.bat

Filesize
19B

MD5
e093c151f2211069df1699471ea12c63

SHA1
562cf4b672866a245484bd22deb474bf5a242f69

SHA256
da03e9cae4ce326b027f6bfd62c9ba4facccc66c43a3ebb33fc67aca244230bc

SHA512
8529c088a66aee3d126b8b0433912ae91edfb10cb51921c077eb9b807f95bf577df7c15e09b08db2afb1bef4e53f1c98044ed7190e7bf69fbc141d61a66c53c1

Download Submit
C:\WINDOWS\addins\svchost.exe

Filesize
5KB

MD5
59b4347af698338bdd937bf3664f595e

SHA1
303c7f201b89c6b4389f26366cb3fdc8c9670706

SHA256
a0e8c9e9ac5dc9a92445e64c68bb7dc343ef78bc1ddaeba4c2c30c5fb065b9c2

SHA512
4e2e344ea88eb3e388c3018328e8a1f029c293ccc92929d8a0aca44c686b01d134af47c77f299e83c1df904d0ba29330df950d285cba6ba8d0aff39edd0623cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\aig.EXE

Filesize
231KB

MD5
f46d42000367f4913a17780dbf4ea4c8

SHA1
53094bce5c4806ce945c7d2d1ef554bcfbba7f8e

SHA256
14a1f2b09c97bdf6bf0820d458061dc351c27fc1c97c6d454149648ead9457e4

SHA512
23168d613e787b296ecd15a8c8200b445b6acd654fa657ffbdd49a999edcca7792ce590b0913d32ec8810f55bd49ebdc8de61fb562ceb7bab23c4243d54bfab7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\zmxzz.exe

Filesize
224KB

MD5
46fe2cad3f8f0d57724100e7762b3bad

SHA1
4713ef7f29132334a7401381b04f0e6db0da2b0f

SHA256
d4e9505910f9adec92437b8291fec48bfb343ad9c29fa8aa16db943bd5e458ed

SHA512
24d79a06a3a55b58a8585a7853eeb6d8dbcb482bfc9c065963878d27e43d521d682d6642a9427de46a8fd42e3f67dbe0659a853462e5f4fe2f8b5d53d32166ec

Download Submit
\Windows\addins\xzz.exe

Filesize
281KB

MD5
94df3e8a50a9b49e0788e4bb8bc7e1ab

SHA1
e1140511d54c69a992eeaa3b591533c1c2234eaa

SHA256
9ba46d08986a60901d1f6585d41361cad9c320a4e4fae61a43f7ba5655d9fe61

SHA512
d930fbc90b09d7490cb87a6eab46cd6b9430e7af4d2d9e6fe1cf4e083d4531ac728fdd4ca9c8dd6a2adee5c54810a7eb3b76cd8d2492e900c2af8eacbf0672fd

Download Submit
memory/752-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2844-50-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2856-39-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2956-4-0x0000000010000000-0x000000001004475C-memory.dmp

Filesize
273KB

Download
memory/2964-7-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/2964-0-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/2964-44-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/2964-6-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/2964-3-0x0000000001000000-0x0000000001044000-memory.dmp

Filesize
272KB

Download
memory/2964-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download