687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

General

Target

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
Size

100KB
MD5

e1b7edc7b64d3658dc80ff55416b0c13
SHA1

dce6acf0d134a7b9a59302624264083a43e0e292
SHA256

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b
SHA512

6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winrvpp.exe

pid	Process
4424	winrvpp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\7569616913379665\\winrvpp.exe"	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\7569616913379665\\winrvpp.exe"	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

Drops file in Windows directory 3 IoCs

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	ioc	Process
File created	C:\Windows\7569616913379665\winrvpp.exe	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
File opened for modification	C:\Windows\7569616913379665\winrvpp.exe	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
File opened for modification	C:\Windows\7569616913379665	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4748	4280	WerFault.exe	80
1476	4280	WerFault.exe	80
5052	4424	WerFault.exe	83
488	4424	WerFault.exe	83
4644	4280	WerFault.exe	80
388	4424	WerFault.exe	83
1764	4280	WerFault.exe	80
4204	4424	WerFault.exe	83

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	pid	Process	procid_target
PID 4280 wrote to memory of 4424	4280	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	83
PID 4280 wrote to memory of 4424	4280	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	83
PID 4280 wrote to memory of 4424	4280	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	83

C:\Users\Admin\AppData\Local\Temp\687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
"C:\Users\Admin\AppData\Local\Temp\687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\7569616913379665\winrvpp.exe
  C:\Windows\7569616913379665\winrvpp.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 508
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 612
    3⤵
    - Program crash
    PID:488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 728
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 748
    3⤵
    - Program crash
    PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 552
  2⤵
  - Program crash
  PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 684
  2⤵
  - Program crash
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 796
  2⤵
  - Program crash
  PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 804
  2⤵
  - Program crash
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 4280
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4424 -ip 4424
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4424 -ip 4424
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4280 -ip 4280
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4424 -ip 4424
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4280 -ip 4280
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4424 -ip 4424
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\7569616913379665\winrvpp.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
C:\Windows\7569616913379665\winrvpp.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
memory/4280-130-0x0000000000842000-0x0000000000847000-memory.dmp

Filesize
20KB

Download
memory/4280-131-0x0000000000842000-0x0000000000847000-memory.dmp

Filesize
20KB

Download
memory/4280-132-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4424-133-0x0000000000000000-mapping.dmp

Download
memory/4424-136-0x00000000006C2000-0x00000000006C6000-memory.dmp

Filesize
16KB

Download
memory/4424-137-0x00000000006C2000-0x00000000006C6000-memory.dmp

Filesize
16KB

Download
memory/4424-138-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads