Overview
overview
10Static
static
705b48b2909...29.exe
windows10-2004-x64
10143e14de3a...c5.exe
windows10-2004-x64
102c899ff55c...31.exe
windows10-2004-x64
102e0a9b6a39...9b.exe
windows10-2004-x64
104250b0250d...ee.exe
windows10-2004-x64
10464a716862...38.exe
windows10-2004-x64
104d09936a4a...bf.exe
windows10-2004-x64
1059c1607382...01.exe
windows10-2004-x64
1061f1416a77...2b.exe
windows10-2004-x64
1068ca177d42...f8.exe
windows7-x64
768ca177d42...f8.exe
windows10-2004-x64
76ba0db3b66...b3.exe
windows10-2004-x64
108b549a8688...5b.exe
windows10-2004-x64
10a8dffd83e4...8a.exe
windows10-2004-x64
7b6b53c7022...c9.exe
windows10-2004-x64
10ccc5c313f4...94.exe
windows10-2004-x64
10e04ecd64b5...1b.exe
windows7-x64
3e04ecd64b5...1b.exe
windows10-2004-x64
10e38bd93e74...28.exe
windows7-x64
3e38bd93e74...28.exe
windows10-2004-x64
10eab14d8dad...38.exe
windows10-2004-x64
10f943251c5b...1b.exe
windows10-2004-x64
10fb49b50c0d...90.exe
windows7-x64
3fb49b50c0d...90.exe
windows10-2004-x64
10Analysis
-
max time kernel
167s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 13:20
Behavioral task
behavioral1
Sample
05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
143e14de3ab20f2359132907b991db6a76d0d521ba132b83a736d149619409c5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
2c899ff55cbbdd4c5b9be75b0893daed295266b8392bd0365eb55f6acf67f731.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
2e0a9b6a39ce81b93beb155ac3c237f4a6b9248d6b872ed22bfdf8851796b19b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
4250b0250d540350db8a017ad70a9992b46d70a0d5ab9438c3c0597af56f27ee.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
464a7168620633d6f4e27494eec6c1cedff2ae39e5ffda7f9913f43efd93bd38.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
4d09936a4a5e882005320c53757dc18469109b9f86d4b6003bb674e1658b0dbf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
59c1607382fbf89bf1ce30ceb0a4e1724a81c2e855e91e5f12e07c396e822a01.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
68ca177d42ab79022ede5d703f2f3b4e3de42fc1ae56a531b50f66f3339721f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
6ba0db3b66f5f3df269e1eb1b3241575d1ec8d58b19767274aae0af44946bbb3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
8b549a868852eb291819180cd971dd7b163003efa16b8efacf685d2d5f879a5b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
e04ecd64b5614cc4103cdde760de6180002d85792ec28fa0beb64b385bf3f11b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
e38bd93e7494d62b91d0445138d215387c568aa6b6e9ae0a92842ba7b1999228.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
eab14d8dada2d5205db79e415c61561de2646a3a67f4615bfffa2f0c272f8738.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f943251c5b3ff162faabeb09676429800f82298b7971cbfb3dee652de07b391b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
fb49b50c0d470063e9548552158ebf5137ca285f8cf0ccfe1a2ef2d44bbb4390.exe
Resource
win10v2004-20240426-en
General
-
Target
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe
-
Size
3.5MB
-
MD5
2e74d6fa9f7ad6604f4474d3a88df538
-
SHA1
94ddd1699392c49aea7f9a610ed5487ea5d30a07
-
SHA256
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a
-
SHA512
38725af1c782e2378327ed536ff71e50b429b0fa1eca4299ddaee229ff16d9a18cebfcb44db81d799dfa19278e9f8d961598c1a94c15001be8c8c9daba2667f5
-
SSDEEP
98304:yHWz45HmcCm7AKb1UcPwX7fVhIdG9k3kKoN:yHWzG1IBnwu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 2308 setup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exemsiexec.exedescription pid process Token: SeIncreaseQuotaPrivilege 1700 WMIC.exe Token: SeSecurityPrivilege 1700 WMIC.exe Token: SeTakeOwnershipPrivilege 1700 WMIC.exe Token: SeLoadDriverPrivilege 1700 WMIC.exe Token: SeSystemProfilePrivilege 1700 WMIC.exe Token: SeSystemtimePrivilege 1700 WMIC.exe Token: SeProfSingleProcessPrivilege 1700 WMIC.exe Token: SeIncBasePriorityPrivilege 1700 WMIC.exe Token: SeCreatePagefilePrivilege 1700 WMIC.exe Token: SeBackupPrivilege 1700 WMIC.exe Token: SeRestorePrivilege 1700 WMIC.exe Token: SeShutdownPrivilege 1700 WMIC.exe Token: SeDebugPrivilege 1700 WMIC.exe Token: SeSystemEnvironmentPrivilege 1700 WMIC.exe Token: SeRemoteShutdownPrivilege 1700 WMIC.exe Token: SeUndockPrivilege 1700 WMIC.exe Token: SeManageVolumePrivilege 1700 WMIC.exe Token: 33 1700 WMIC.exe Token: 34 1700 WMIC.exe Token: 35 1700 WMIC.exe Token: 36 1700 WMIC.exe Token: SeIncreaseQuotaPrivilege 1700 WMIC.exe Token: SeSecurityPrivilege 1700 WMIC.exe Token: SeTakeOwnershipPrivilege 1700 WMIC.exe Token: SeLoadDriverPrivilege 1700 WMIC.exe Token: SeSystemProfilePrivilege 1700 WMIC.exe Token: SeSystemtimePrivilege 1700 WMIC.exe Token: SeProfSingleProcessPrivilege 1700 WMIC.exe Token: SeIncBasePriorityPrivilege 1700 WMIC.exe Token: SeCreatePagefilePrivilege 1700 WMIC.exe Token: SeBackupPrivilege 1700 WMIC.exe Token: SeRestorePrivilege 1700 WMIC.exe Token: SeShutdownPrivilege 1700 WMIC.exe Token: SeDebugPrivilege 1700 WMIC.exe Token: SeSystemEnvironmentPrivilege 1700 WMIC.exe Token: SeRemoteShutdownPrivilege 1700 WMIC.exe Token: SeUndockPrivilege 1700 WMIC.exe Token: SeManageVolumePrivilege 1700 WMIC.exe Token: 33 1700 WMIC.exe Token: 34 1700 WMIC.exe Token: 35 1700 WMIC.exe Token: 36 1700 WMIC.exe Token: SeSecurityPrivilege 1516 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.execmd.execmd.exedescription pid process target process PID 1448 wrote to memory of 788 1448 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe cmd.exe PID 1448 wrote to memory of 788 1448 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe cmd.exe PID 1448 wrote to memory of 788 1448 a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe cmd.exe PID 788 wrote to memory of 1960 788 cmd.exe cmd.exe PID 788 wrote to memory of 1960 788 cmd.exe cmd.exe PID 788 wrote to memory of 1960 788 cmd.exe cmd.exe PID 1960 wrote to memory of 1736 1960 cmd.exe reg.exe PID 1960 wrote to memory of 1736 1960 cmd.exe reg.exe PID 1960 wrote to memory of 1736 1960 cmd.exe reg.exe PID 788 wrote to memory of 1700 788 cmd.exe WMIC.exe PID 788 wrote to memory of 1700 788 cmd.exe WMIC.exe PID 788 wrote to memory of 1700 788 cmd.exe WMIC.exe PID 788 wrote to memory of 2308 788 cmd.exe setup.exe PID 788 wrote to memory of 2308 788 cmd.exe setup.exe PID 788 wrote to memory of 2308 788 cmd.exe setup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"C:\Users\Admin\AppData\Local\Temp\a8dffd83e4ed96b525aa095a5fdbe826aa6409b97419dc8c1ab463bac16a438a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release 2>nul3⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Release4⤵PID:1736
-
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic product where name="FiatLink" call uninstall3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exeSetup.exe3⤵
- Executes dropped EXE
PID:2308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2996
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556B
MD51f4c5332b3e3f7668c6c0fbd730ef6f7
SHA1f68d224c39e3d472a4cadfbad6f9f3a57ae6f643
SHA2562f31c813c6d6c132fdfc1c09cf995944170db0a382f799d9dc32c249407e966c
SHA512df673b727e5853716de4803d2ce98054a46dfdbcfbb7a7523e8fc34aa4c7fbd3354ea5990e6abf511606bf917c3e50e3bb5489a0f10572dd9aa1e9dea23818ea
-
Filesize
598B
MD583a8232021f3f7690a57948dd1fd3f53
SHA1785cab55143c51cf13714c7c3827e0324a767b62
SHA2565bc380a39e687d214b52d425634db1490a44c4e56ae4be1658275a5282db00f0
SHA512b9347fb089d2f81f61b40c830a578f47614e48da573ba318b020cc89dcfb65fd50a5dcfdba6e8bf6b5eb914ab441fd461db6ebadfa043b008e92018dee3383a1
-
Filesize
510KB
MD5a71a3c02f397b830524176f5e7545723
SHA1d15dfb49314fd2de949b223837b14e9156355122
SHA2565a8925e95d243ffaeda81be2210fea56fa4e9626484cfadf59da95b485a17ddf
SHA512a3ba63d54c6afc715bb1e28c90d678ca4f3db6ff8e6a572d984f9c9efaa0fd83a512226aba06a0bf1bdab9780cf922c212b7a9be2e134cec0d395916978b0bb2