036b4aa7616fc70353570500a50d5ca6bc0d043be36055911797be6a3718b393

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-09-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Injector (1).exe
Size

155KB
MD5

2dae931f833ddb6baf3d00789b29ceed
SHA1

ffc0ab5215ab64e2d04865d518464dc296350729
SHA256

036b4aa7616fc70353570500a50d5ca6bc0d043be36055911797be6a3718b393
SHA512

d8ed811a25fe1b2f6c9aa247a552c5a9ed802eee8d7b0658037fc75faf4eba5781f421149708956764a82f9fb964904be2d13fb8814972205b3546bba73a8a15
SSDEEP

3072:VahKyd2n3185GWp1icKAArDZz4N9GhbkrNEkgUTJ30Z1qHk:VahOcp0yN90QE5

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Injector (1).exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4640	4948	Injector (1).exe	79
PID 4948 wrote to memory of 4640	4948	Injector (1).exe	79

C:\Users\Admin\AppData\Local\Temp\Injector (1).exe
"C:\Users\Admin\AppData\Local\Temp\Injector (1).exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Injector.bat"
  2⤵
  PID:4640
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3988
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3552
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2508
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3576
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2452
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3644
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3136
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1336
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4716
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:1476
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3032
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3588
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:3528
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:4240
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Injector.bat

Filesize
29KB

MD5
495f8901d347b8efaf021740ee31db1e

SHA1
f5f65ec4cbf22adc94f139b9171e4e435fedca02

SHA256
44ffb1b40553572b3bbf90fce0294a214519399185260c6cb3157f737a6ed6f8

SHA512
5e536f3304c522d361d8db24cce1c11b76d756676b0b9535a66c1672c908c8bc36bb37bd7bec1d691c5ef1a5047a167185028787eb0f6c879c877a6653e4965d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads