Analysis
-
max time kernel
70s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
executerx.exe
Resource
win10v2004-20240508-en
General
-
Target
executerx.exe
-
Size
184KB
-
MD5
df73a80625a2d1e323138b56c7f727c4
-
SHA1
78a441797c4e69a439c340807853539c12b10911
-
SHA256
d0f3ce3f0230b9bbf0fd12f585feece341f66b904e98b6100f5973149e8c5273
-
SHA512
e10960ef4421ef996698f36cc9ec47775c43225ecf68873b10aca4b595eb3d0b40469adac701943bdc0073f59bca7fc0ef78683975590fb87a46516b0d7f014c
-
SSDEEP
3072:+MobR7ezAjLOZvmX185GWp1icKAArDZz4N9GhbkrNEk47hGCQ:jeR7eammkp0yN90QEb
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
executerx.exeexecuterx.exeexecuterx.exeexecuterx.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" executerx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" executerx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" executerx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" executerx.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 640 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
executerx.exeexecuterx.exeexecuterx.exeexecuterx.exedescription pid process target process PID 1796 wrote to memory of 3592 1796 executerx.exe cmd.exe PID 1796 wrote to memory of 3592 1796 executerx.exe cmd.exe PID 4868 wrote to memory of 4572 4868 executerx.exe cmd.exe PID 4868 wrote to memory of 4572 4868 executerx.exe cmd.exe PID 1064 wrote to memory of 1044 1064 executerx.exe cmd.exe PID 1064 wrote to memory of 1044 1064 executerx.exe cmd.exe PID 4488 wrote to memory of 416 4488 executerx.exe cmd.exe PID 4488 wrote to memory of 416 4488 executerx.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\executerx.exe"C:\Users\Admin\AppData\Local\Temp\executerx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c executer.bat2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\executerx.exe"C:\Users\Admin\AppData\Local\Temp\executerx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c executer.bat2⤵
-
C:\Users\Admin\AppData\Local\Temp\executerx.exe"C:\Users\Admin\AppData\Local\Temp\executerx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c executer.bat2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI5D30.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\executerx.exe"C:\Users\Admin\AppData\Local\Temp\executerx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c executer.bat2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\executer.bat" "1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\executer.batFilesize
52B
MD5d4ca0691c8fe9b123d9e2cc63e06d834
SHA1de001ec550d1f763382cfdac910bcd696ddac07c
SHA2562e1a20d4767f3b5b86d450c423175cf450c69fb4b7010199bb5aa777998d571c
SHA5126c17f154251b0da59a0061b32aa17a9d3beaec890620deed230fea36448e5b83d09d9d672f7d6847c42ef357a88621a762269044ddfb42ad5524fb9ac29555cc