d0f3ce3f0230b9bbf0fd12f585feece341f66b904e98b6100f5973149e8c5273

Analysis

max time kernel
70s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

executerx.exe
Size

184KB
MD5

df73a80625a2d1e323138b56c7f727c4
SHA1

78a441797c4e69a439c340807853539c12b10911
SHA256

d0f3ce3f0230b9bbf0fd12f585feece341f66b904e98b6100f5973149e8c5273
SHA512

e10960ef4421ef996698f36cc9ec47775c43225ecf68873b10aca4b595eb3d0b40469adac701943bdc0073f59bca7fc0ef78683975590fb87a46516b0d7f014c
SSDEEP

3072:+MobR7ezAjLOZvmX185GWp1icKAArDZz4N9GhbkrNEk47hGCQ:jeR7eammkp0yN90QEb

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

executerx.exeexecuterx.exeexecuterx.exeexecuterx.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	executerx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	executerx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	executerx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	executerx.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

640 NOTEPAD.EXE

pid	process
640	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

executerx.exeexecuterx.exeexecuterx.exeexecuterx.exe

description	pid	process	target process
PID 1796 wrote to memory of 3592	1796	executerx.exe	cmd.exe
PID 1796 wrote to memory of 3592	1796	executerx.exe	cmd.exe
PID 4868 wrote to memory of 4572	4868	executerx.exe	cmd.exe
PID 4868 wrote to memory of 4572	4868	executerx.exe	cmd.exe
PID 1064 wrote to memory of 1044	1064	executerx.exe	cmd.exe
PID 1064 wrote to memory of 1044	1064	executerx.exe	cmd.exe
PID 4488 wrote to memory of 416	4488	executerx.exe	cmd.exe
PID 4488 wrote to memory of 416	4488	executerx.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\executerx.exe
"C:\Users\Admin\AppData\Local\Temp\executerx.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SYSTEM32\cmd.exe
cmd /c executer.bat
2⤵
PID:3592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\executerx.exe
"C:\Users\Admin\AppData\Local\Temp\executerx.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SYSTEM32\cmd.exe
cmd /c executer.bat
2⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\executerx.exe
"C:\Users\Admin\AppData\Local\Temp\executerx.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SYSTEM32\cmd.exe
cmd /c executer.bat
2⤵
PID:1044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5D30.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:640

C:\Users\Admin\AppData\Local\Temp\executerx.exe
"C:\Users\Admin\AppData\Local\Temp\executerx.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SYSTEM32\cmd.exe
cmd /c executer.bat
2⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\executer.bat" "
1⤵
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\executer.bat
Filesize
52B

MD5
d4ca0691c8fe9b123d9e2cc63e06d834

SHA1
de001ec550d1f763382cfdac910bcd696ddac07c

SHA256
2e1a20d4767f3b5b86d450c423175cf450c69fb4b7010199bb5aa777998d571c

SHA512
6c17f154251b0da59a0061b32aa17a9d3beaec890620deed230fea36448e5b83d09d9d672f7d6847c42ef357a88621a762269044ddfb42ad5524fb9ac29555cc

Download Submit