c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2

General

Target

c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe
Size

119KB
MD5

96dace9d3bb37faac3c6e7a69b5c8400
SHA1

a88ce3449ba69ffd91e8d98e4807d13b48b532f9
SHA256

c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2
SHA512

1ba9357bdbcb81a80f2f1a2bcf5d60b1b2cf93de2a53a6cdabc1a761bcfa2f4bfdd90992a86a8e6f8501993ef8356f6379e308db3869ef90910afec88f15e6e8
SSDEEP

3072:gyZiGx5TFQYGsOpyg36Kuvmvp5+nkvqC3Q:gjsQYyjZnR

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3584	taskhost.exe
1760	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\taskhost.exe"	taskhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 3584 set thread context of 1760	3584	taskhost.exe	84

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1772	4988	WerFault.exe	79
1748	3584	WerFault.exe	82

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 4988 wrote to memory of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 4988 wrote to memory of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 4988 wrote to memory of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 4988 wrote to memory of 5004	4988	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	80
PID 5004 wrote to memory of 3584	5004	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	82
PID 5004 wrote to memory of 3584	5004	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	82
PID 5004 wrote to memory of 3584	5004	c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe	82
PID 3584 wrote to memory of 1760	3584	taskhost.exe	84
PID 3584 wrote to memory of 1760	3584	taskhost.exe	84
PID 3584 wrote to memory of 1760	3584	taskhost.exe	84
PID 3584 wrote to memory of 1760	3584	taskhost.exe	84
PID 3584 wrote to memory of 1760	3584	taskhost.exe	84

C:\Users\Admin\AppData\Local\Temp\c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe
"C:\Users\Admin\AppData\Local\Temp\c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe
  C:\Users\Admin\AppData\Local\Temp\c3812f7f14e5258d04ad92981ec7feaac2101b562ca09bbb3469d222524323e2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\taskhost.exe
    C:\Users\Admin\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\taskhost.exe
      C:\Users\Admin\taskhost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 296
      4⤵
      Program crash
      PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 308
  2⤵
  - Program crash
  PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4988 -ip 4988
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3584 -ip 3584
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\taskhost.exe

Filesize
119KB

MD5
991b106297d8062b2e79d6d248025070

SHA1
6a82e6e37c272bf999ef38a0cf195992e8f40531

SHA256
504c390ba9cd6db0b559b91cb26e8de364b23dc4d076446a08f39f68fb426c51

SHA512
7b04ba25653e09cc5fff1225694dc2d64e50e109d8ce4c7d07a572e327b347d812ce78d8f9ba13834658adb0017a8c4ffe304189191a243e101dd7d993c4c8a6

Download Submit
C:\Users\Admin\taskhost.exe

Filesize
119KB

MD5
991b106297d8062b2e79d6d248025070

SHA1
6a82e6e37c272bf999ef38a0cf195992e8f40531

SHA256
504c390ba9cd6db0b559b91cb26e8de364b23dc4d076446a08f39f68fb426c51

SHA512
7b04ba25653e09cc5fff1225694dc2d64e50e109d8ce4c7d07a572e327b347d812ce78d8f9ba13834658adb0017a8c4ffe304189191a243e101dd7d993c4c8a6

Download Submit
C:\Users\Admin\taskhost.exe

Filesize
119KB

MD5
991b106297d8062b2e79d6d248025070

SHA1
6a82e6e37c272bf999ef38a0cf195992e8f40531

SHA256
504c390ba9cd6db0b559b91cb26e8de364b23dc4d076446a08f39f68fb426c51

SHA512
7b04ba25653e09cc5fff1225694dc2d64e50e109d8ce4c7d07a572e327b347d812ce78d8f9ba13834658adb0017a8c4ffe304189191a243e101dd7d993c4c8a6

Download Submit
memory/1760-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-139-0x0000000000000000-mapping.dmp

Download
memory/1760-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1760-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3584-136-0x0000000000000000-mapping.dmp

Download
memory/5004-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5004-132-0x0000000000000000-mapping.dmp

Download
memory/5004-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing