3d09aa1414bbacbfb9c1b5b602d13f2ce8861d1cbb506f0afb092bf21feb5580

Analysis

max time kernel
18s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wincale.exe
Size

155KB
MD5

b98c92f8a1b5967e47e783382bd5aa85
SHA1

da98dab852c4a557bcd4d885496db302af74a3fa
SHA256

3d09aa1414bbacbfb9c1b5b602d13f2ce8861d1cbb506f0afb092bf21feb5580
SHA512

ce8590e1dd1877c773f4597c8a64d08e5e145354a6e770ebd9a76f829673842df96630d05154ac74da2263795d69679af66b8ccf2bb0680efb6b808e615344db
SSDEEP

3072:TahKyd2n31G5GWp1icKAArDZz4N9GhbkrNEkYqxk:TahO+p0yN90QE7

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Wincale.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 4016	3544	Wincale.exe	85
PID 3544 wrote to memory of 4016	3544	Wincale.exe	85

C:\Users\Admin\AppData\Local\Temp\Wincale.exe
"C:\Users\Admin\AppData\Local\Temp\Wincale.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Wincale.bat
  2⤵
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wincale.bat

Filesize
453B

MD5
f1dab3d19dc916a42d6ee3397ff1e9b1

SHA1
f5b36cfa9875ea7ff8b72100ae578c6039660f4c

SHA256
442e302d89e4c0702a130a12f4e234f1568b0cf543785071fcea4ce604c7b20d

SHA512
c589edc8136c0797f170c9bae4332f213afae5032cde7cf308a44f921ef8ad9750be98334a18c1649dc665cf24d6cd972d5bc3cdabf7b0af2923e38f3eae3e56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads