d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe
Size

33.9MB
MD5

8bca5e8930ba6be4bd9ba59bc4d2f237
SHA1

bd7a540af2662707c7b02871efea7e84085129fb
SHA256

138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde
SHA512

26945f56dc71ea5d3e5359202bc2098b23e31ad4fcf4a3fbdaade2aee2d2e50cf945c884bdf94dc5d949f14770d9d15dfc442cb58e0f50e368f58b3b923fafba
SSDEEP

786432:b3yJy4bYpVyTO9NQAR29u1ocoMnTtXTzr6vmU5JaYmZJR:LyJy4sjyTuNQN9aocoqJXTz2OSaFHR

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

admnstup.exe

pid process

4536 admnstup.exe
Loads dropped DLL 4 IoCs

Processes:

admnstup.exe

pid process

4536 admnstup.exe
4536 admnstup.exe
4536 admnstup.exe
4536 admnstup.exe

pid	process
4536	admnstup.exe

pid	process
4536	admnstup.exe
4536	admnstup.exe
4536	admnstup.exe
4536	admnstup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

Processes:

admnstup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version = "1.1"	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler32\ = "ole32.dll"	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler\ = "ole2.dll"	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler32	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ProgID	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ProgID\ = "Access.OLE2Link"	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\ = "OLE 2.0 Link"	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocHandler	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version = "1.1"	admnstup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	admnstup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib	admnstup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

admnstup.exe

pid process

4536 admnstup.exe

pid	process
4536	admnstup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe

description	pid	process	target process
PID 1444 wrote to memory of 4536	1444	138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe	admnstup.exe
PID 1444 wrote to memory of 4536	1444	138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe	admnstup.exe
PID 1444 wrote to memory of 4536	1444	138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe	admnstup.exe

C:\Users\Admin\AppData\Local\Temp\138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe
"C:\Users\Admin\AppData\Local\Temp\138ff2ce9b173f8265df2a779714f1533ce9b51c1c9823b118a7fc654853ecde.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\admnstup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\admnstup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSVCR71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VFP9R.DLL
Filesize
4.5MB

MD5
074bd3b7cd21ea7e0013d62caee4dacf

SHA1
433cabb03b4ecfe4cc55ecee90d33b050a7240e4

SHA256
00e629266bab84966a2b386298f2f1ecc6c6e3c73efe2a8d15cde3a7c03d63c7

SHA512
3189d60d0e8e4745d83ec960f76784206ede98715d4503d64b1485b153f3d11deeac9ee7b8308009f23e13b99ad49fed8244f4f1411421830618cf48c001713a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VFP9RENU.DLL
Filesize
1.1MB

MD5
72cf503ed5085888009577aada63f6a3

SHA1
d1710217f6126554d33831e2f3d0ab95a93dd178

SHA256
de618974f0ac3865ec6ebd70137b9b69139cc1c9952ca089dd7370ad9b757981

SHA512
599837099bca17be4346b1a3c8fab3d1bf14c0a9a57ffd15fd32335c335452a981a2e37ad1c1d3c873ef306a336435b119ee87d35a0de82583b7eb140b233af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\accounts.sed
Filesize
2KB

MD5
a517c3da4484229a25a6cc4e56e17ce2

SHA1
72dda2adbf6e2ecb7f0be8067b84fc6b46653f08

SHA256
dd6f9bea6cae85d218a643be95a042e48503de4c2b3f2d30fa440c0ffc4c1006

SHA512
488618f51322fa89c1d3623ff0116e6d8ed6c1dde20d05ee9370ef0ad4a6c0279af3adcb2e7b1b4cb2416d050f57d510b95c5d9420aef8b089bca0a3a482f4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\admnstup.exe
Filesize
2.1MB

MD5
a09f7349da288fe12d6ea2e9e5f04e21

SHA1
0538977c39d4f01b515cac86dbca6d395c8185d9

SHA256
10745b9a86c942d6559e2ad74593fb471cc1841e2b11dc6e37e240c4a7fcf105

SHA512
0329b1626f9f0afabf45b25de3115326d77a852704c991cb90a863b22e15c085f008b88eebc5e9d5aa3037d0550e550741bc1a98512baae7cc4590a84c44c8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gdiplus.dll
Filesize
1.6MB

MD5
4d328694bb516e46d2d184950d94433f

SHA1
9b31771a8c201b74c846da1f1a254866dc2f912d

SHA256
8199452af9e5289c126d0ff9d99f2302c52861ec49008702b7f95d64d316383c

SHA512
dadf21cb702e309ba0f271e13a9c3e9d4bdb5cdd79699d331242c988c591716c265c11fb5a35a8b0d5892861d1c6d519ace228f2d4fcf0d3e604e33be4fa7cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sys_is.DBF
Filesize
43KB

MD5
6d87707b9d936f89dcb30db009b5a7b6

SHA1
6a7710f5593f0cc28feacdc83235dabf69b5edbd

SHA256
1c6d1d5059d085c0ba330170ad13dbb29fb076f4d49033e3b484298464e7658c

SHA512
6dbc4511bd224b304fbf655ff4f68ec4cfb35d0b0696931109d0cdcf2b5cf0b454a4ae4db2468fa7e9e76ad318007b416971403b32e2069fec67493fa379bbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sys_st.fpt
Filesize
512B

MD5
32faff29cfd5153d66cb4e8539dc0e76

SHA1
54f8bf9b8ccfce491f309d9566b6b9c7e9ce3c6a

SHA256
b11162605d45a90c5250b12fd0df62ed463de2ad7430d2f24033b57ca014f9ef

SHA512
ecf9f89928544b85ff8ab7d4f682a101fe821437ddc240f666fe70562806e54fed97b6e87e5859838a5a86bff041ede1c54cadacec8e5a850c4f06952b22dc61

Download Submit