b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d

General

Target

b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe
Size

98KB
MD5

4ec32104de0ac83c28cbf8ebba215527
SHA1

9be2c050bc8eef8d6594ce228c859627b3f403d2
SHA256

b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d
SHA512

914d3497d965b7f4b551b008721da74fc82dcfe19e15b05ab90304522acabed59d928f997645804e7883d302f2adc8c5ae8031157295b00931cad2ea3f95b979

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4300	wingkhw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update 8675887 = "C:\\Windows\\29328279135810190\\wingkhw.exe"	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update 8675887 = "C:\\Windows\\29328279135810190\\wingkhw.exe"	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\29328279135810190	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe
File created	C:\Windows\29328279135810190\wingkhw.exe	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe
File opened for modification	C:\Windows\29328279135810190\wingkhw.exe	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2416	1596	WerFault.exe	80
2532	4300	WerFault.exe	81
4524	1596	WerFault.exe	80
3660	4300	WerFault.exe	81
3644	4300	WerFault.exe	81
2568	1596	WerFault.exe	80
4252	4300	WerFault.exe	81
1348	1596	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4300	1596	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe	81
PID 1596 wrote to memory of 4300	1596	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe	81
PID 1596 wrote to memory of 4300	1596	b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe	81

C:\Users\Admin\AppData\Local\Temp\b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe
"C:\Users\Admin\AppData\Local\Temp\b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\29328279135810190\wingkhw.exe
  C:\Windows\29328279135810190\wingkhw.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 500
    3⤵
    - Program crash
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 612
    3⤵
    - Program crash
    PID:3660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 728
    3⤵
    - Program crash
    PID:3644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 736
    3⤵
    - Program crash
    PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 552
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 660
  2⤵
  - Program crash
  PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 776
  2⤵
  - Program crash
  PID:2568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 784
  2⤵
  - Program crash
  PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1596 -ip 1596
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4300 -ip 4300
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4300 -ip 4300
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1596 -ip 1596
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4300 -ip 4300
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1596 -ip 1596
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4300 -ip 4300
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1596 -ip 1596
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\29328279135810190\wingkhw.exe

Filesize
98KB

MD5
4ec32104de0ac83c28cbf8ebba215527

SHA1
9be2c050bc8eef8d6594ce228c859627b3f403d2

SHA256
b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d

SHA512
914d3497d965b7f4b551b008721da74fc82dcfe19e15b05ab90304522acabed59d928f997645804e7883d302f2adc8c5ae8031157295b00931cad2ea3f95b979

Download Submit
C:\Windows\29328279135810190\wingkhw.exe

Filesize
98KB

MD5
4ec32104de0ac83c28cbf8ebba215527

SHA1
9be2c050bc8eef8d6594ce228c859627b3f403d2

SHA256
b6d82ef1862f6d88fbe0a4ebd3d485d8109f9368a7b5f6d855129e6d3f19793d

SHA512
914d3497d965b7f4b551b008721da74fc82dcfe19e15b05ab90304522acabed59d928f997645804e7883d302f2adc8c5ae8031157295b00931cad2ea3f95b979

Download Submit
memory/1596-130-0x0000000000702000-0x0000000000707000-memory.dmp

Filesize
20KB

Download
memory/1596-131-0x0000000000702000-0x0000000000707000-memory.dmp

Filesize
20KB

Download
memory/1596-132-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1596-139-0x0000000000702000-0x0000000000707000-memory.dmp

Filesize
20KB

Download
memory/4300-136-0x00000000005B2000-0x00000000005B6000-memory.dmp

Filesize
16KB

Download
memory/4300-137-0x00000000005B2000-0x00000000005B6000-memory.dmp

Filesize
16KB

Download
memory/4300-138-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing