47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Size

908KB
MD5

a3bea3c18870dbaa2c6832ee2a3f75e4
SHA1

901488b975632e3a2f69a1664fcbb791948b0963
SHA256

eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829
SHA512

39d2d54433770f5855204506501c06c06e9a0ebca82b5a332833ba14054e4f2329d6872ff38fcf30288f2613614e28b68fa6f059bb2d042bb35a2badf143f912
SSDEEP

12288:lMr9y90hbegZ6/VgVqr3o+asbZc87BUD55HyPjixx0mOYaSc2G8IQo4Ha/mLu:QyuebgVqUsV3B+iPjiUmOkc2G8g4YN

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

fj3pA38.exeTI5qL21.exe3Ha16MF.exe

pid process

1148 fj3pA38.exe
216 TI5qL21.exe
3580 3Ha16MF.exe

pid	process
1148	fj3pA38.exe
216	TI5qL21.exe
3580	3Ha16MF.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exefj3pA38.exeTI5qL21.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fj3pA38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TI5qL21.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exefj3pA38.exeTI5qL21.exe

description	pid	process	target process
PID 3932 wrote to memory of 1148	3932	eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe	fj3pA38.exe
PID 3932 wrote to memory of 1148	3932	eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe	fj3pA38.exe
PID 3932 wrote to memory of 1148	3932	eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe	fj3pA38.exe
PID 1148 wrote to memory of 216	1148	fj3pA38.exe	TI5qL21.exe
PID 1148 wrote to memory of 216	1148	fj3pA38.exe	TI5qL21.exe
PID 1148 wrote to memory of 216	1148	fj3pA38.exe	TI5qL21.exe
PID 216 wrote to memory of 3580	216	TI5qL21.exe	3Ha16MF.exe
PID 216 wrote to memory of 3580	216	TI5qL21.exe	3Ha16MF.exe
PID 216 wrote to memory of 3580	216	TI5qL21.exe	3Ha16MF.exe

C:\Users\Admin\AppData\Local\Temp\eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
"C:\Users\Admin\AppData\Local\Temp\eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fj3pA38.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fj3pA38.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI5qL21.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI5qL21.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ha16MF.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ha16MF.exe
4⤵
- Executes dropped EXE
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fj3pA38.exe

Filesize
783KB

MD5
797475ed48d4c9f32269f59cfe4ba585

SHA1
749b45513f41259189b8a8f2479ca86b5e081a6a

SHA256
cea6e9e7e4b91e44e6c7019956fb407a28475957fa0b233363a5f981d4e22220

SHA512
42f67ce436101c94fc42d901946c24aad84e8176de2e3d3c22738b0346961fdbe71de0851e273abacc5eed388d2ab5532dfd751346ac1b585a7b7f96fede0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI5qL21.exe

Filesize
420KB

MD5
c1b793dc1e83fab1f3ed92fe2590d8f3

SHA1
3364a0eb9f48668970e3d5396b1397135d47ca64

SHA256
887c7850b590d7ba0009d00d6ead3ac7a81c00957a069053a2084fd44508687a

SHA512
89da3b851cf3a0c419cfdb611785202c13fed380ecc09947ce72630332952671a1838698c1529927f9e2c17f05c80fc51cbb79015175bb820d72c880059f9cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ha16MF.exe

Filesize
369KB

MD5
b875c9765e1c3730c546c7194d5f9dd6

SHA1
9362f475b850b19b75efad51b3699546b41535e6

SHA256
bc06df3787b0f3e135c46f782525c3ecd832f18dd238789efe5d19e3812f030e

SHA512
60954e983ca7c5c2622538dcd4a761f75a71a3f40754b21b59bb7d16faa675b5078669041c53bc2de301af9a225aaabcea53db68b6121e925b2abeeacd4b489d

Download Submit