7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516

General

Target

7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe
Size

677KB
MD5

0d715f63f17e0885e3314fd47a520f11
SHA1

312cf0957fee439274df88aebe956caab61de9c3
SHA256

7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516
SHA512

59adf553b668ec066f26b758de60b4b0bf22ae3adbe763c88c4d1951528beffa5c5786c5794c28c177e19a73b83a33afcae07ba3b2de9163778aca8491b7da02
SSDEEP

12288:vgSiFQARRvxJm6c1pf3R6DDQj0hEIHF3Z4mxxEoEtlK+kt9T2M3K0:vEOATvxoZpp6DeQvHQmX9Gsr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	Accel.exe

Loads dropped DLL 6 IoCs

pid	Process
1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe
1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe
2016	Accel.exe
1736	WerFault.exe
1736	WerFault.exe
1736	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	2016	WerFault.exe	27

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 1704 wrote to memory of 2016	1704	7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe	27
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28
PID 2016 wrote to memory of 1736	2016	Accel.exe	28

C:\Users\Admin\AppData\Local\Temp\7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe
"C:\Users\Admin\AppData\Local\Temp\7fed32135e17eb07271cf1ad19e72c4c428bac328ed93b12fc10b5dbb7cf3516.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 332
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
84KB

MD5
3e808b088061afc59fd37699635cae92

SHA1
5be16e0669594bce0e83d1a124b9c3d384af61aa

SHA256
70a0951ade7f9476551fa9217b1c3e9c64da6910a83b0d05b4dbe3d1a8a3c3ea

SHA512
8afe54d503032f86686a213730f5b7a789e93d48a36c9188e4e728f2e02323ca8c58980ae053cc81f8e735f86ec7ccce2b3e3c17518de8cce841889c25c14066

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
56KB

MD5
b2463c6ce30a21525ef590b1ca393059

SHA1
42214d94cf510b4cc3d68667814f0aae411fc1d0

SHA256
39ee2b851db20d35b0bd2970a1fcb377555e188963f37e2acdcc4a71ef6e5d89

SHA512
848ac42282d3e8a1bb0c8e8ec787bf8140ebda07ef38641de43559a7692445760210f3416d50fbc06407bc53d01e227f3648840c405b8c07cdfa7a718e74da6e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
124KB

MD5
9d2a86b144a93a4baebe55b1229590de

SHA1
5680d9ea0179706141edfa938944ade694125572

SHA256
7329d6a0deb867878d4598a40d994c2855ebe8315959acc240573d98a7f13e5f

SHA512
c98bf1ad9839e6d5c9dc65076144761009759a29ef524b956e3d1f8eb3563e20cdefd4e5e9b343d384fac9d78ebc283af22ea175db4d39b7df8af58bfbd127bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
56KB

MD5
2579414e71b72d200ecc6872c21546f9

SHA1
e181574174a4993f1a5df82da96557e854f8931d

SHA256
f693f63ec7871b76a98ebc0ddfc26d8dbf636c534154a177e80a68ac4c203dd7

SHA512
252d9e567bc544cfa65daa21d1b43a7fff2e624958cf7c9ad945d26fc1ff1395869ba28749995f44b22d5c7794bfa1507716dc04213f9362e518394fa7376cf8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
97KB

MD5
6017b2a03de0278567e33769793fdc3d

SHA1
d05eb38f25652c6d633cdc39f33c911ad74ed4a3

SHA256
b9cb8885fa72ac89687d986344efbc04c710e60d5dfa4237e47d0af4741ee2c8

SHA512
98ecb895ad9e54356501d291127227de6e5f3a1cac04a456e44d0387af7c2d2f11ca242184049e0524b3856712c5cf62f22b99481e9efa5f680c14ba03eb67de

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
62KB

MD5
45d9725bfb157fed06d561bd43d8080e

SHA1
285e33e2b70638f6afc6b2fa025b42f913defe56

SHA256
37935e40f34fb2f429733654f71e3b5439e89520ab295e90535d8eabe296462e

SHA512
e609aa23a93518e88420afb9c7afb016384a26f23ec063a27dad9c4a714af458e16ebe2fca1236bec0692d6a39efd6941f4d89a6c3d11472dd9674f47b430106

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
104KB

MD5
65ce7869f291b88b387cef1c2087c9db

SHA1
e9ad77c32506ce2319a3cbd9cbd1ea0e6f95bac9

SHA256
57ff917ef9a3423f90c651e1cfa5576baac5d4e452d9c612c29d9f09c2ba7544

SHA512
dd72e7c016c0d91d0b04796c22c6e8dae9124fa4168d880b9546e46734f5d25ca57a56efb1169327e887e9e62ef721a0922861c9f095e8405efcddc0a4a7df56

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accel.exe

Filesize
84KB

MD5
a7805400c24aa708cb5577dcafd0c09b

SHA1
ae452bab6f92089e6576c9e7a6faf7480078f13a

SHA256
015590114e23db28bbe58b6c255bfdaee38ed546cfa872e2df81cdf9809d3f77

SHA512
42c793043b643221e2768484177f8509dae002e8d1fdb547cd2d41e31eb5c1a8606063145d8cc80d9b012e0ceeed3ba0c37d58644ee7c020c6d182d04f2cc126

Download Submit
memory/1704-65-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/1704-64-0x0000000003270000-0x0000000003273000-memory.dmp

Filesize
12KB

Download
memory/1704-63-0x0000000000830000-0x00000000008E5000-memory.dmp

Filesize
724KB

Download
memory/1704-62-0x0000000001000000-0x00000000010B5000-memory.dmp

Filesize
724KB

Download
memory/1704-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/2016-66-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing