d1d06dd339cf5e0f5a42f3baadf3b6b452dae99df8941ec2b21dfeb9af6b89e7

Analysis

max time kernel
125s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe
Size

202KB
MD5

47bc8822eb26a30c73c611c82760378e
SHA1

fca21e171b90f0f5fd08184e09807e872cb4f138
SHA256

78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde
SHA512

f91c467883866714357296f5f329f1e7821c5dda2afe2fbe72c2f2f9f4d0c948ba6f98560d0f583ca32cba6403ce4639d59a12ede3bb2f1dd092d7da5e8f8eff
SSDEEP

3072:F29+hIl2epp1X5GWp1icKAArDZz4N9GhbkrNEkuYQF9XaAbwbb/PjL4:MwAxp0yN90QEXjXafzPj

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4848	reg.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3392	cmstp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3392	1852	78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe	97
PID 1852 wrote to memory of 3392	1852	78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe	97
PID 3392 wrote to memory of 4848	3392	cmstp.exe	104
PID 3392 wrote to memory of 4848	3392	cmstp.exe	104
PID 3392 wrote to memory of 4288	3392	cmstp.exe	107
PID 3392 wrote to memory of 4288	3392	cmstp.exe	107
PID 4288 wrote to memory of 1340	4288	cmd.exe	110
PID 4288 wrote to memory of 1340	4288	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe
"C:\Users\Admin\AppData\Local\Temp\78d8afb5b6d07be053731e4535b6af065470b9c6866d10d038d8f98b09195dde.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SYSTEM32\cmstp.exe
  cmstp.exe /s /su /ns ed845ad1-981c-4924-becb-61d6bd1ae9eb.inf
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v SelectSelfSignedCert /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4848
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c certutil -addstore root %APPDATA%\Microsoft\Network\Connections\Cm\ed845ad1-981c-4924-becb-61d6bd1ae9eb\ed845ad1-981c-4924-becb-61d6bd1ae9eb.cer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\certutil.exe
      certutil -addstore root C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Cm\ed845ad1-981c-4924-becb-61d6bd1ae9eb\ed845ad1-981c-4924-becb-61d6bd1ae9eb.cer
      4⤵
      PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3908,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:8
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREB~1.ICO

Filesize
5KB

MD5
f4210677849c93e4550b23c038b251f8

SHA1
eed0197ea0ec7b79d10dfe38699b5dcc57775b7b

SHA256
1ebdce9e839099060b4a68dad683bd77ccb398280ce6ceade6297d50df1001e0

SHA512
7fd327fd662c0aa9431f32f8f15708876b4d0b00dfa2c0f191a88aafc3d725da068752dd8f5705c356f20248c3c3588357c60733a4a9a346ce41710c44193943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREB~2.ICO

Filesize
4KB

MD5
1e633ec56eee97f7cd80316388f0b769

SHA1
25e18aa13520605f17eaf2f9d77acd8ba5408fe2

SHA256
04aab375e08f56cf4be4ca7e148969fa93789886eff1b13ab85f00a76cea238e

SHA512
4c3edbcd34100d3358b924452a9041ed97fe31df65f6f29d350b17664324edac03fef4d24c995bb2b082c63ce21f9e6833c8474e1549dc5c21f911d12925a824

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AZUREV~1.BMP

Filesize
135KB

MD5
745a3d9dcb4735518fd16ca5dc00c79f

SHA1
5c9ca1e8f3d81b40a0e6e731171b83f04782e799

SHA256
f738942f441272f364d480d700a2215180f0e9765ac64056991b78f0af35d560

SHA512
603cbc81fea84a0b612f8129575bedec1710dbfad7d8955afcd2720827923ffdec48852449a73a4ad2bb6332a76a559eec897d68a415bb37f5b39b1ee23a5fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ED845A~1.CER

Filesize
947B

MD5
79e4a9840d7d3a96d7c04fe2434c892e

SHA1
a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436

SHA256
4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161

SHA512
53b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ED845A~1.PBK

Filesize
2KB

MD5
a6f4e9aaef06145cbfe97fbc28be7884

SHA1
25368475a0d3fe50e7a3a78413731f96021d2108

SHA256
b5a777dd8dd27cb93460f1e46ab5ac9a6f827b3f836af068b2b32e3fcdf95dc6

SHA512
b59831113f089e6f1a2d665cda589312ed8542de637445227e7560137046cf5680712b643e786ba64c4a4a4550be0c6ac4e8fda1ae314c235ba8454c4782d89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ed845ad1-981c-4924-becb-61d6bd1ae9eb.cmp

Filesize
155B

MD5
536354542882fe8dede34f55330ae4b8

SHA1
5c104f2e39e29ebaa03c3507a97bfc9ad8a8c519

SHA256
8470481af45c5143ece64278472f174951565d6d0df9d6fa49a4eb64a7883087

SHA512
30cc83cb6452c0788a369f7d7ede0471a5c416d26377aaa35ec4666298bfe30804ce8a6b84f556d7e362b1d15f3b5ef476e536d5b90d2ebde01e22bf852bfea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ed845ad1-981c-4924-becb-61d6bd1ae9eb.inf

Filesize
11KB

MD5
99bdb31f637abec4c0a844e0697cfbb7

SHA1
8a229a25820d1b7324bff06a04f4c010dd5b52d1

SHA256
aeb526d51cef2142105b5625c93bd932bfc335a9e2032559432df9cac7310816

SHA512
5f9ba3c011efabae9d74f53bd528ad07ad04a08d70e9fcee5e31a9f7b35ee4ca4abc553009f8c3c01186391065f0dfe2e3c37760a20b3b31e6b90e792c9342cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Cm\ed845ad1-981c-4924-becb-61d6bd1ae9eb\cmroute.dll

Filesize
45KB

MD5
fafa0f6ba11ed3da82abbccea19f808e

SHA1
a52ea6fd5a26c90c1d3e8fb9f844725a2b7703f1

SHA256
eabf6bae661a9a15c253a2a4a1d149841ae66af2f5567538ac452ed3bfb36da3

SHA512
cd14f1306aeb85c996d5a8974580d8897859f8023033b9d07f7ff2bf46baed0a3d37616e5e7916a8fef949c6532b4a40a96c0789e402950796f555bf0ff17cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Cm\ed845ad1-981c-4924-becb-61d6bd1ae9eb\ed845ad1-981c-4924-becb-61d6bd1ae9eb.cms

Filesize
3KB

MD5
2a0b95a66808202f6e92437b355e6e41

SHA1
687d48dbd7a7a599eacb4c21f3046163b661ffbb

SHA256
92e5b154bb19b31293af58eba992bb645689f95777344fbb176c423afdd9e672

SHA512
2b5d5867156844bd6355a065c998fa1e466ff33e3d908fc04d8ab3e0de5f5571a1e7114ea93d1c55f2a9b4863627afc3a661665051226be5ff21da443fc3363f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Connections\Cm\ed845ad1-981c-4924-becb-61d6bd1ae9eb\routes.txt

Filesize
143B

MD5
76056951f3de702a9853b931cc95a670

SHA1
0984f5fdca58b2fad4c71774839b03bcb6ac25c5

SHA256
48f3b82fba1ac40a652793e10841b73a8bb38703c79258766bcfae4d706b3797

SHA512
e7f1fcd7477850652d242a4f7bab6ae766ccefee15659d6cf2be0f989cf4bbe5d41f2a36add4dd83a0a734bfec242a3dc3b78abe4511e3a34b7f36107bf4e3c5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads