7b3501b29fad54316a48c7cbe034f6f97593ef80e262a127c24094ba1cde7f9f

Resubmissions

14/09/2024, 11:48

240914-nyqttssfrf 6

14/09/2024, 11:47

240914-nxz14ssfnh 6

14/09/2024, 11:42

240914-nt22assekg 6

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

services.exe
Size

170KB
MD5

5e94401cb02b643606efa2343211f832
SHA1

27e71319f36ec75ba5705f27febfba6f94c06634
SHA256

7b3501b29fad54316a48c7cbe034f6f97593ef80e262a127c24094ba1cde7f9f
SHA512

884f3d72a662f486c5fbd8f494689650011701faf9ef78fe77dfd9533cd3ddd9f37cac310b156a8bac7bb99ffe7aebe0df973df0281e9ce7f4c03369f614bfc4
SSDEEP

3072:bahKyd2n31F5GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1+YhWxLzF:bahOxp0yN90QEgP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	services.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4792	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1020	4824	services.exe	83
PID 4824 wrote to memory of 1020	4824	services.exe	83
PID 1020 wrote to memory of 1288	1020	cmd.exe	85
PID 1020 wrote to memory of 1288	1020	cmd.exe	85
PID 1020 wrote to memory of 4668	1020	cmd.exe	86
PID 1020 wrote to memory of 4668	1020	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\services.exe
"C:\Users\Admin\AppData\Local\Temp\services.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "services.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Admin
    3⤵
    PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4436

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.bat

Filesize
25KB

MD5
0a214e3b578b2aea45b48dfe3cf2d327

SHA1
a1100fe27b3397bbdc6871a7a2c5e310a098a448

SHA256
87d8a4024642f8231333c35e0c792d1192024f7305093589cf65639b2573e6e7

SHA512
239ccc51e0bdec7a7e8d727b960d4eb9f3e7b07703b6600d5712dca95786fe0fa12ce9041ac7f59aeae646b57b641b95c9bfc966491a4385f88e8e8f13ea6569

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads