dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe
Size

430KB
MD5

fc7df24f11e087d817e2abee603f906f
SHA1

566e926835f33aa194eee9faba8f12010abdef85
SHA256

ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4
SHA512

5bbc81b096941272c6400b939c5715ca2d570a3e395a389af8c7c365c10adb54152bbe3f9f49939cbe617d0ad666ddebe2d7394f3c0126c256310b88641d0143
SSDEEP

6144:KHy+bnr+Dp0yN90QECGagwOJbG6eYFJSj0X7DVCXGrLVZOxnZY16fWb6p8Zhq8R:JMrLy90oGagZJIOxXtCMZ6ZmTc8/Rzs

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	2ta2846.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1808	908	ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe	82
PID 908 wrote to memory of 1808	908	ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe	82
PID 908 wrote to memory of 1808	908	ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe	82

C:\Users\Admin\AppData\Local\Temp\ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe
"C:\Users\Admin\AppData\Local\Temp\ad4ff817f44ff7266fb94f8757fc6afe62664e7c937dabddb1878c1ca9407cf4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ta2846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ta2846.exe
  2⤵
  - Executes dropped EXE
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ta2846.exe

Filesize
415KB

MD5
198bbd965b034332484a7d82c3e1703a

SHA1
fbb41508c78f0b441bf3dc2ba8952d7fab98295d

SHA256
bff9729625417b5f305b6445a526cc231dd2dfc9187d05d6ffe85c475f406148

SHA512
53783379a8f087348e665180863fbffb39692fd06201178608677a74295088238e19f29bad641bbd861ef1492c3a71c63fe2b2a1aa61e9d343697c173a05e43e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads