1f6c255caa87a4b2ec259deac08bc76b48dab36a59f25114163c30c087645349

Analysis

max time kernel
7s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virus.exe
Size

172KB
MD5

bc956ceb45c9629fc29010a09a0aa4ae
SHA1

9228661e1ed078bf3b9cef73e7b10bb2b970129e
SHA256

1f6c255caa87a4b2ec259deac08bc76b48dab36a59f25114163c30c087645349
SHA512

1210f331a232107ec1f423272af1cce4944abf568802899f7bbb862d0a0b5683045b6af57d8116de69c1cc0e7f99f2b547a75d8ed09d96d4ab0fdbd2d362df4a
SSDEEP

3072:HMobR7ezAjLOZvmX1a5GWp1icKAArDZz4N9GhbkrNEk1Qzw:seR7eamm2p0yN90QEP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	virus.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4488	3308	virus.exe	84
PID 3308 wrote to memory of 4488	3308	virus.exe	84
PID 4488 wrote to memory of 5024	4488	cmd.exe	89
PID 4488 wrote to memory of 5024	4488	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "virus.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\system32\shutdown.exe
    shutdown -s -t 15 -c Windows Security cannot kill the process, you need to restart the computer. Deleting infected startup files
    3⤵
    PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WindowsSecurityWarning.vbs

Filesize
73B

MD5
77a0508cde404639b8bd9db31a387f5c

SHA1
f6ab5bfed160e630f7497272ec9fbc3f867e158c

SHA256
900cf741696043d6044baaa1975fef1cde9557666c12a9ab53b5429dbe4e277e

SHA512
a73dbfefbd62170e0cc32ef6141d0e78e42434897b950b215b2dd48fd50639b86d8177343ca7349337416ffcc012b2952d9983beab951de1f33b8f193ce0c87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\virus.bat

Filesize
275B

MD5
c8c2947c40ac515da1f026ce0e57c2eb

SHA1
b0deaac801ff28ff9d8b5efb69cdc7958a6b10c0

SHA256
e331a46c0d762325ba6ae2d95d0cab0a7605b12ebba69472f18885cb7b8bc963

SHA512
dd3a0aae9bac2bf7024c843372172419a7f74303d7e0d8651d54b4b7ce7d37215aec5d61432a93ae6ec31f0924b0117f252135c45b44d03f34de849cfd6583f5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads