e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Analysis

max time kernel
167s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
Size

3.5MB
MD5

2e74d6fa9f7ad6604f4474d3a88df538
SHA1

94ddd1699392c49aea7f9a610ed5487ea5d30a07
SHA256

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
SHA512

38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5
SSDEEP

98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

2308 setup.exe

pid	process
2308	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exemsiexec.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: 36	1700	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1700	WMIC.exe
Token: SeSecurityPrivilege	1700	WMIC.exe
Token: SeTakeOwnershipPrivilege	1700	WMIC.exe
Token: SeLoadDriverPrivilege	1700	WMIC.exe
Token: SeSystemProfilePrivilege	1700	WMIC.exe
Token: SeSystemtimePrivilege	1700	WMIC.exe
Token: SeProfSingleProcessPrivilege	1700	WMIC.exe
Token: SeIncBasePriorityPrivilege	1700	WMIC.exe
Token: SeCreatePagefilePrivilege	1700	WMIC.exe
Token: SeBackupPrivilege	1700	WMIC.exe
Token: SeRestorePrivilege	1700	WMIC.exe
Token: SeShutdownPrivilege	1700	WMIC.exe
Token: SeDebugPrivilege	1700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1700	WMIC.exe
Token: SeRemoteShutdownPrivilege	1700	WMIC.exe
Token: SeUndockPrivilege	1700	WMIC.exe
Token: SeManageVolumePrivilege	1700	WMIC.exe
Token: 33	1700	WMIC.exe
Token: 34	1700	WMIC.exe
Token: 35	1700	WMIC.exe
Token: 36	1700	WMIC.exe
Token: SeSecurityPrivilege	1516	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.execmd.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 788	1448	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 1448 wrote to memory of 788	1448	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 1448 wrote to memory of 788	1448	a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe	cmd.exe
PID 788 wrote to memory of 1960	788	cmd.exe	cmd.exe
PID 788 wrote to memory of 1960	788	cmd.exe	cmd.exe
PID 788 wrote to memory of 1960	788	cmd.exe	cmd.exe
PID 1960 wrote to memory of 1736	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1736	1960	cmd.exe	reg.exe
PID 1960 wrote to memory of 1736	1960	cmd.exe	reg.exe
PID 788 wrote to memory of 1700	788	cmd.exe	WMIC.exe
PID 788 wrote to memory of 1700	788	cmd.exe	WMIC.exe
PID 788 wrote to memory of 1700	788	cmd.exe	WMIC.exe
PID 788 wrote to memory of 2308	788	cmd.exe	setup.exe
PID 788 wrote to memory of 2308	788	cmd.exe	setup.exe
PID 788 wrote to memory of 2308	788	cmd.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\reg.exe
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release
4⤵
PID:1736

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic product where name="FiatLink" call uninstall
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
Setup.exe
3⤵
- Executes dropped EXE
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2996

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CheckNF.bat
Filesize
556B

MD5
1f4c5332b3e3f7668c6c0fbd730ef6f7

SHA1
f68d224c39e3d472a4cadfbad6f9f3a57ae6f643

SHA256
2f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c

SHA512
df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd
Filesize
598B

MD5
83a8232021f3f7690a57948dd1fd3f53

SHA1
785cab55143c51cf13714c7c3827e0324a767b62

SHA256
5bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0

SHA512
b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
Filesize
510KB

MD5
a71a3c02f397b830524176f5e7545723

SHA1
d15dfb49314fd2de949b223837b14e9156355122

SHA256
5a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf

SHA512
a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2

Download Submit