a3fe36dfd55585924cbbfbf3ac92bc2ef4ae3111be96fdf759e0387d95f6cc02

Analysis

max time kernel
99s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 08:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7298edbe0704f88646cbe0ac1147fe50N.exe
Size

128KB
MD5

7298edbe0704f88646cbe0ac1147fe50
SHA1

00fa587d01d0d0130cbb726df36c62147ef2f800
SHA256

a3fe36dfd55585924cbbfbf3ac92bc2ef4ae3111be96fdf759e0387d95f6cc02
SHA512

c468ef9d35e5ac691f9d3ac1196be8cf002833a28304808628905520206cf6d3eb583027ba04853e58e755dd7043883de6677503b8dca16a98bb2e8b0b30f729
SSDEEP

3072:onj9jtfU+INndIc0Jz5blNJgaDwKYk3alC6RqMuQ08:ojbeiZDZDhv3aDRFuC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4576	LaunchSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7298edbe0704f88646cbe0ac1147fe50N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe
4576	LaunchSetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4576	LaunchSetup.exe
4576	LaunchSetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 4576	2820	7298edbe0704f88646cbe0ac1147fe50N.exe	84
PID 2820 wrote to memory of 4576	2820	7298edbe0704f88646cbe0ac1147fe50N.exe	84
PID 2820 wrote to memory of 4576	2820	7298edbe0704f88646cbe0ac1147fe50N.exe	84

C:\Users\Admin\AppData\Local\Temp\7298edbe0704f88646cbe0ac1147fe50N.exe
"C:\Users\Admin\AppData\Local\Temp\7298edbe0704f88646cbe0ac1147fe50N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaunchSetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaunchSetup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3WWFCFW4\showmypcauto[1].htm

Filesize
5B

MD5
944ffc8fc3592f2861245f00e5f437ff

SHA1
9e1560f1981d72d948bd79af50d1c4efd33da6ae

SHA256
ccca1a5b13502c0b498ed148d0544f55b9c67d394540e5690d9ac3203b1a804a

SHA512
c0abdc2b1972947191fb61044b02911b2466400323ab78488d938d64d410507d7695489dc9845de0b37273b7365c30700b74ef31a9060bb0da90d7baf2397bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaunchSetup.exe

Filesize
113KB

MD5
219dce8bfda000032d7e05aee7f2f857

SHA1
082afd4467b2a1b5620bee4cbf130aecddc055cd

SHA256
dbb05de62b233c777a4b954097d3e3e9ce8ee364921ba5f2ded54805def2cdad

SHA512
3401339ebe41b8c8d325e46c27ac655d8e6183fa56ee1253e14cabc15156d72fe9fff5dd3c6c0df7eef16f71d775f8d79f55e993d4e92d622b4b71c5868d3636

Download Submit