900ef3b7a51212972a056a8003d5da045292550f02ce2ea6077779b21e24de52

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc235cf0606019efe98f87355be2ff3.exe
Size

651KB
MD5

cdc235cf0606019efe98f87355be2ff3
SHA1

c5ed9231a024281f5874a54cf6dbc4d61f3070bb
SHA256

900ef3b7a51212972a056a8003d5da045292550f02ce2ea6077779b21e24de52
SHA512

424d02fa2f6a67e3a465d943ab3e3064a8795b587e7e288832e0d2829441ca5870f9251d4ec96f77f689826640ffb7e65c00bd707dd0ae52e0f30a29e0166e5d
SSDEEP

12288:7JSI+8rahwm9WehVCtyqXVb/G1lz67Xrkzy3hZuPW2+sCvPVdqu:7YI+8ejgMQXVbe1lz67Azy7yW2+s0t

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	CNET2_~1.EXE

Loads dropped DLL 2 IoCs

pid	Process
2220	cdc235cf0606019efe98f87355be2ff3.exe
1900	CNET2_~1.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x003900000001340c-4.dat	upx
behavioral1/memory/2220-7-0x0000000002780000-0x000000000288D000-memory.dmp	upx
behavioral1/memory/1900-25-0x0000000000400000-0x000000000050D000-memory.dmp	upx
behavioral1/memory/1900-125-0x0000000000400000-0x000000000050D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cdc235cf0606019efe98f87355be2ff3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	CNET2_~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	CNET2_~1.EXE
1900	CNET2_~1.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28
PID 2220 wrote to memory of 1900	2220	cdc235cf0606019efe98f87355be2ff3.exe	28

C:\Users\Admin\AppData\Local\Temp\cdc235cf0606019efe98f87355be2ff3.exe
"C:\Users\Admin\AppData\Local\Temp\cdc235cf0606019efe98f87355be2ff3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CNET2_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CNET2_~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ish259394546\bootstrap_8546.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\css\main.css

Filesize
4KB

MD5
1d7b7d4b58ae79b4c4cadde36b409242

SHA1
e3531bb7b293dd813c4b1a5481e71cb40b0e316a

SHA256
3826a540a97d51774fe379434fd4044bbf2b3e31452e684e38f5da1d31f0d68e

SHA512
c17d99b298aa64861fdea1ec5440f16bb7aed282e232610d4440c050018cbaba2a6c88446e13cc610f8903c2b2f48c819f9defec0845ef6e23ffe72f9b13d8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\css\progress-bar.css

Filesize
508B

MD5
e1fcf8b6066af9a266ae34738ed5c000

SHA1
4d1079ccdfe311b77177bed54163c7cc73d7d1be

SHA256
d6021b1977f3c67cb78981b0b19be54d3a702bbc6c5320bb95b7226e69b5fe1a

SHA512
5412b3e83587086f67cc0a4b3b12f828d76b54954b47ff61a9fd6e593cee2a6207fc135c7159808c085a80ffbb7b089198b417859a44d788b4994b561a9f41ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\green_btn.png

Filesize
485B

MD5
b570ea77375823be8510c0f27768ed62

SHA1
096ed270c93ad811039738b7fb53e05eaae7f4bb

SHA256
5fbbad89a2ab5257aacd3fd525d684443c5c4b07f2b47d58357091ce00ff743c

SHA512
3c9829c52521d537a530a9d695b48b67a33fe68e4ec7edc8cd09a7f1a989432ee33276dd9005c8c15d1aa5dddc7d23deea6a0213194a80363935ad702ac56cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\grey_btn.png

Filesize
360B

MD5
501821d95e958528fed4747e4190b39f

SHA1
70e3c15d3ce5853a67aa741ec701d3af307d7bd9

SHA256
562aade6e95f22e50010c9ff189c36bf4be9390fa4060a0bc2f1217119c84417

SHA512
0c45ab94c5302c8ee4ec52acd2a293c4d4993f7bc1834e9c46794b2db85fb4a845062f2d6538aba358e1b94d9dd4d1f370d58d8b9f5b46062ab8e9e06fa8e05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\loader.gif

Filesize
7KB

MD5
edb71146254d3b8ebae18607e801398c

SHA1
8775027da6f6cc19c72d20c7f1615a01112e5d3c

SHA256
3e3610a947c3c6ced9971d16d4231ee3699f71f404894da4ce39090a8170c71a

SHA512
4eb29933fcaed8ad368309377bdcf69cb4e9f469d0c882d5ddd2fa3b0723d0ced29480ec024cab44b86b737351d49471d58601b121bb380079c5c696164f8d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\main.png

Filesize
21KB

MD5
1a2ad75c0af449d5719473655ef5af04

SHA1
82c5ba738b9cd2508ea2d69da7985d586a4f0dca

SHA256
7fd43f4e80aac98a7586ba5fbe951cdbe19dcb99fd41471e9e6e73e1f79ecab7

SHA512
0db8650d8a272d9aaf0ecfe7077928ab771ffca575bc52d5c08b8c0797b77c3b60dbc0a7c7c39920b4ab98c22604d0ae43a4ccee12441c85a50e3da8402968f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\offer_box2.png

Filesize
2KB

MD5
61f74251810068cb9edaeaada3c50d29

SHA1
3b779b8e723ca1e1e73ac534a2d415a18fb2db6e

SHA256
245213c4b0f5af429823ec4f0b9f3fcf0dfee92f049cf053b630feb4e4cefc23

SHA512
dda26dd5417150291c60d452724dc10881f888ec4717d0066b01845c0a5a97cec17149658cffce2f8a3c5ab642013d6ca462e1e8820bd383dfad51bd32c70409

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\pause_btn.png

Filesize
982B

MD5
14b92cbe22ef5a31a5533d0ab114537e

SHA1
e428f1b0236f7a85faf045237a7cd29a305d936c

SHA256
a2226e2f7dd1ea319e49b1ff1d277a44b35a314ea6d32be1832e71ddebcc18ba

SHA512
b585c5852960d89726d97ddb8e757abe0d36bfb2b5c91a30885e299728d836a048c7a3c5b5e85fbd514e2217d547330d816de497f38204578d333654c8d19f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\progress_bar.png

Filesize
456B

MD5
26588a39e960e2f5ba70fc082a8f02af

SHA1
116b62c07995d60f9bfc492296cc9c5c5a1ad26a

SHA256
97210d3d0cbce804baef4efa6c2a01e52cbc30047d849d37201450455f45f652

SHA512
ee722e9b4bf56d154216ff1d3b2b0b5df5d714092da8741bb25e5c2deab239c20501da31d8d07c212eac5404a36a58b25ba74263c0a22aab7f430b429ae093da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\resume_btn.png

Filesize
985B

MD5
05e22e0225f53b69a44b443540c20324

SHA1
af5eb7ebf4f053b17d19a678ec84c329e632b2df

SHA256
139ff055cec5379c1b58b9b1eb1f205890c5464f58f86eee80f9bc938857705a

SHA512
1c754458da075e504f3463cb72d683b8affa553a39083a2565ebe2e664ebf3400546bc687e0058097d256f86f0cc538439178ad8ee0c91abaa745c1bf977dbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\secure_dwnl.png

Filesize
2KB

MD5
6f2b1f7689b06eef2d9c4e5e00b9ee2e

SHA1
bdb0b30006af53427194ea79f0615992cb84a99b

SHA256
a85622887fc7b035edf0ff9b7e296768cea04fa4a7dfebbd149e383837c96d70

SHA512
930da8f935f8a186a3f5ebb45a74872942cdaa4cb46bfdda0fd5fef589ec51364d6e43eb0173310642da8978edaf60662d2a78519d80fae3fe1bc23bc7b570d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259394546\images\welcome_prod_box.png

Filesize
1KB

MD5
93791bdb5453514a501ad84985b69824

SHA1
4fd167c14ddbc76472082c3c5adb37052c96d6c0

SHA256
0a771df975a8a733eed11854702075ac0858954fd322d7d58bc68d59792cfe7d

SHA512
e36729aa139cd63205e966231663fb9b1e69ab39a43c45d80244a81f8d08722e240f3d7af1acc6bb935830dc77946c00648971a26058ab0e14925259fbe330a2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CNET2_~1.EXE

Filesize
452KB

MD5
80bdcda05aef6d8dd683bd1cc2038422

SHA1
4302b1f2816295e17887abe9149e0faff2e35f0c

SHA256
88fc9e979cd2fd36c9a623591acdff6bdc21990ac442eda10b6de37ed0a9176c

SHA512
a700828a4c9e69354a23403579e71ecd44deeedcbb857f37e1a7b50b7c7950552193f7b2b27b60aaa48d608c315cc971f7d8a4b2e7360370ed0433bdc3e05109

Download Submit
memory/1900-25-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1900-11-0x0000000000510000-0x000000000061D000-memory.dmp

Filesize
1.1MB

Download
memory/1900-125-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1900-127-0x0000000000510000-0x000000000061D000-memory.dmp

Filesize
1.1MB

Download
memory/2220-7-0x0000000002780000-0x000000000288D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads