5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe
Size

903KB
MD5

468625bfbc5b9c6f04d805bfa3e1546a
SHA1

c39e0852f79372afd720d45fada6fb3906d8fc35
SHA256

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918
SHA512

24a8e52c281133cdc127f7e8e1ea23e0ecf57ae38247e6b63115159e11b746050b405d7d7626b2fd79283bff59ebdf3c390c2df40ca5965e0c7d0344ef98250f
SSDEEP

24576:Iydo+8kfdQKKtL/CJNyci1baTTnXT11Lp1ftA:PdB8kiKCL/CJAP1bafnXDpJt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11ri7807.exe

pid process

4028 11ri7807.exe

pid	process
4028	11ri7807.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe

description	pid	process	target process
PID 5000 wrote to memory of 4028	5000	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe
PID 5000 wrote to memory of 4028	5000	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe
PID 5000 wrote to memory of 4028	5000	40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe	11ri7807.exe

C:\Users\Admin\AppData\Local\Temp\40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe
"C:\Users\Admin\AppData\Local\Temp\40d8e0aa1d01acecacb5b454de82773c5a4b5f13ec3abf8ee0ce0c906690a918.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe
2⤵
- Executes dropped EXE
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11ri7807.exe
Filesize
414KB

MD5
5592f560af7cf807f386cc2bcf7dd61a

SHA1
b7bacf3b630c0486730d72622ce954b90a13a74d

SHA256
d1bfce6063fdd6011206e564ed01459896f5f2e94c4e5bbe4b97df932aa9d8fc

SHA512
2463518147071915c525f4e9cf51666e9a50730bd112bd57be56e0bd3cc4bd882355fd993ad4b3ae92648a4d1ddca30553f1ee4aec473f2a60fca456743a20f7

Download Submit