84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe
Size

456KB
MD5

6e9ff09f5a7daa46cfbfb1cf5707179f
SHA1

6f1b4ccd2ad5f4787ed78a7b0a304e927e7d9a3c
SHA256

84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429
SHA512

128972b6a5bef77ee11da5e93e4e807e5d16c4253cf1eef5bd0d42602058fdb4452b07a5308c7b68a5c66446fd05d21078a2ae8f586380449151f44dba874ad7
SSDEEP

6144:pPgLAsUAjIk7Wz4pA+FoUHd6q4vvP9HKcOzhUCDpWzRaDGMDX/eIAPhPgagHSk5e:JgssUAkr8oUv4XccOdWslVAdgyZ

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4364	siteadv.exe

Executes dropped EXE 1 IoCs

pid	Process
4364	siteadv.exe

Loads dropped DLL 1 IoCs

pid	Process
4364	siteadv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Wmi Player\\siteadv.exe mrun ok.obj"	siteadv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4364	2596	84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe	80
PID 2596 wrote to memory of 4364	2596	84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe	80
PID 2596 wrote to memory of 4364	2596	84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe	80

C:\Users\Admin\AppData\Local\Temp\84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe
"C:\Users\Admin\AppData\Local\Temp\84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\Wmi Player\siteadv.exe
  "C:\Users\Admin\Wmi Player\siteadv.exe" install_and_del ok.obj "C:\Users\Admin\AppData\Local\Temp\84b8bfe8161da581a88c0ac362318827d4c28edb057e23402523d3c93a5b3429.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Wmi Player\SiteAdv.dll

Filesize
47KB

MD5
869de5ac4d3520373a8a2f1a5991d365

SHA1
1a7967c6357269414cfd1f9e1060a8613bc59f7b

SHA256
137a3cc8b2ecd98f7d6b787d259e66ca2c1dae968c785d75c7a2fecb4cbbcaf0

SHA512
7eb502c6ef89aec3686244e8e87e61832f137fab073e904eb64b53707eaba5a4cc95a6cb0fbd275fb4f344b12904e299056e00095c60b8a72b6ec496cce8a78d

Download Submit
C:\Users\Admin\Wmi Player\ok.obj

Filesize
317KB

MD5
b0f95350b13b65ae427075fbdf5f7230

SHA1
9e0e0582eef9e2e2f38893a06c552d607f835fcc

SHA256
3a093f2c2cb5ba59197a4c978cfa9687d5778a53ae17c2ce2757d3577a5e7c69

SHA512
363515b61fcda71ceeb1771802cac45eaa9fa1df31a83cdaa94ede123deea3c5c5326dfad98e898c2a569f660e90017801bcdea2d14130588083f5f7afb169be

Download Submit
C:\Users\Admin\Wmi Player\siteadv.exe

Filesize
34KB

MD5
0584b8020e41db48e267d26c641339c3

SHA1
de8b5b36e3638dc757cc3e7e7345b52f3e14b72e

SHA256
eb3b4e82ddfdb118d700a853587c9589c93879f62f576e104a62bdaa5a338d7b

SHA512
3a81b260a37b3bdfc0fffa08ab98cf6ebff3123a76c6f637d83471187e357d0af2e8d9eefe6ea32af9274dde732a7795312dded500a92c6bf3bedaf408abab07

Download Submit
memory/4364-9-0x0000000010000000-0x0000000010055000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads