cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4

General

Target

cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe
Size

124KB
MD5

6e10e651a57b454b77bffff86b0ead26
SHA1

f9c3bc563081490ce8b347195d075eb1c96c798f
SHA256

cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4
SHA512

fa21cae21fb46fc6e951410226731f3b40a1cc3eacb7db79a876de6a11221e83edcf130d2dc3b39dbd8297eb26a22bcdd2e6654f4428188e7154c3e5c271a504
SSDEEP

3072:9T09LGtsrTSQ02bvCQIKVw/TEk3WmGQnFLFq58K:9ormRMCVKV83KQFL85h

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1204	taskhost.exe
448	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 1204 set thread context of 448	1204	taskhost.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3300	540	WerFault.exe	80
4824	1204	WerFault.exe	84

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 540 wrote to memory of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 540 wrote to memory of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 540 wrote to memory of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 540 wrote to memory of 5048	540	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	81
PID 5048 wrote to memory of 1204	5048	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	84
PID 5048 wrote to memory of 1204	5048	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	84
PID 5048 wrote to memory of 1204	5048	cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe	84
PID 1204 wrote to memory of 448	1204	taskhost.exe	86
PID 1204 wrote to memory of 448	1204	taskhost.exe	86
PID 1204 wrote to memory of 448	1204	taskhost.exe	86
PID 1204 wrote to memory of 448	1204	taskhost.exe	86
PID 1204 wrote to memory of 448	1204	taskhost.exe	86

C:\Users\Admin\AppData\Local\Temp\cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe
"C:\Users\Admin\AppData\Local\Temp\cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe
  C:\Users\Admin\AppData\Local\Temp\cc804d9d8d5e5d432d2d8b44c92bef9668d15979c7bb8fa6536b251928a00bd4.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 416
      4⤵
      Program crash
      PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 416
  2⤵
  - Program crash
  PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 540
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1204 -ip 1204
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
2a3e073c1a646628221bf4a64f28dc87

SHA1
bf4606fab6205c2c49798abd46955ef9d3ee2587

SHA256
d88e87e04997f53afc28a66a0c3457b85154919b6c32247767b78edc89c340ff

SHA512
75d5650f0046c9569c8b858f2e902113a405ece12f6213e2583947580fe5bc5891b663e4d47fb01fb38e3868f5209404f826b3dd140f06bcf1386e66d3aa8048

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
2a3e073c1a646628221bf4a64f28dc87

SHA1
bf4606fab6205c2c49798abd46955ef9d3ee2587

SHA256
d88e87e04997f53afc28a66a0c3457b85154919b6c32247767b78edc89c340ff

SHA512
75d5650f0046c9569c8b858f2e902113a405ece12f6213e2583947580fe5bc5891b663e4d47fb01fb38e3868f5209404f826b3dd140f06bcf1386e66d3aa8048

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
2a3e073c1a646628221bf4a64f28dc87

SHA1
bf4606fab6205c2c49798abd46955ef9d3ee2587

SHA256
d88e87e04997f53afc28a66a0c3457b85154919b6c32247767b78edc89c340ff

SHA512
75d5650f0046c9569c8b858f2e902113a405ece12f6213e2583947580fe5bc5891b663e4d47fb01fb38e3868f5209404f826b3dd140f06bcf1386e66d3aa8048

Download Submit
memory/448-140-0x0000000000000000-mapping.dmp

Download
memory/448-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/448-145-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1204-137-0x0000000000000000-mapping.dmp

Download
memory/5048-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5048-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5048-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5048-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5048-132-0x0000000000000000-mapping.dmp

Download
memory/5048-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing