099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c

General

Target

099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe
Size

118KB
MD5

441892ddcce4d5e549751f8ca1825590
SHA1

3b0a591463bf7c1da0038dac1a58a442fdf0f10a
SHA256

099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c
SHA512

845fe6b533b6030d2187efe4fbb43b9001c1bb54f491361dfd251307cf42bc29fe90dc881f0013650dd002da335e92938923fed48f6c439953ed016af2f6e34b
SSDEEP

3072:BLOe/5R1g2is7AcvhlFOSQUZqZE38jV7kHoMxUXHOxc:BLO8ccvhlFzdZ2EC7ooGUXOxc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3408	x9el0.exe
3140	x9el0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5k4ffdabvh = "C:\\Users\\Admin\\AppData\\Roaming\\x9el0.exe"	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 3408 set thread context of 3140	3408	x9el0.exe	87

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4240	3408	WerFault.exe	86
4792	4232	WerFault.exe	83
4244	3408	WerFault.exe	86
792	4232	WerFault.exe	83

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 4232 wrote to memory of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 4232 wrote to memory of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 4232 wrote to memory of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 4232 wrote to memory of 3804	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	84
PID 3804 wrote to memory of 3408	3804	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	86
PID 3804 wrote to memory of 3408	3804	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	86
PID 3804 wrote to memory of 3408	3804	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	86
PID 3408 wrote to memory of 3140	3408	x9el0.exe	87
PID 3408 wrote to memory of 3140	3408	x9el0.exe	87
PID 3408 wrote to memory of 3140	3408	x9el0.exe	87
PID 3408 wrote to memory of 3140	3408	x9el0.exe	87
PID 3408 wrote to memory of 3140	3408	x9el0.exe	87
PID 4232 wrote to memory of 4792	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	91
PID 4232 wrote to memory of 4792	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	91
PID 4232 wrote to memory of 4792	4232	099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe	91
PID 3408 wrote to memory of 4240	3408	x9el0.exe	90
PID 3408 wrote to memory of 4240	3408	x9el0.exe	90
PID 3408 wrote to memory of 4240	3408	x9el0.exe	90

C:\Users\Admin\AppData\Local\Temp\099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe
"C:\Users\Admin\AppData\Local\Temp\099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe
  C:\Users\Admin\AppData\Local\Temp\099edb8d414c1203c093419569582272c94d6fa7814f61ad753fde824fafe87c.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Roaming\x9el0.exe
    C:\Users\Admin\AppData\Roaming\x9el0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Roaming\x9el0.exe
      C:\Users\Admin\AppData\Roaming\x9el0.exe
      4⤵
      Executes dropped EXE
      PID:3140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 304
      4⤵
      Program crash
      PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 304
      4⤵
      Program crash
      PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 220
  2⤵
  - Program crash
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 220
  2⤵
  - Program crash
  PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4232 -ip 4232
1⤵
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3408 -ip 3408
1⤵
PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
608bea3bb3c15f44ff06df4c7c82cf29

SHA1
65b9c3eacdf371e4e51cdaf16633532899c7b9f2

SHA256
c430a25f9dd256029bdfe10f4be8134ad0917e95b123f71d7d5de0c104b975b6

SHA512
c5ef4f4adb28b043e5e62268fa047b87e51533d834c0b942f3bc90b8f351e053d737fabffc84b363501c53e4749ee524a760c523bcb0e4d782ca58baf58d2171

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
608bea3bb3c15f44ff06df4c7c82cf29

SHA1
65b9c3eacdf371e4e51cdaf16633532899c7b9f2

SHA256
c430a25f9dd256029bdfe10f4be8134ad0917e95b123f71d7d5de0c104b975b6

SHA512
c5ef4f4adb28b043e5e62268fa047b87e51533d834c0b942f3bc90b8f351e053d737fabffc84b363501c53e4749ee524a760c523bcb0e4d782ca58baf58d2171

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
608bea3bb3c15f44ff06df4c7c82cf29

SHA1
65b9c3eacdf371e4e51cdaf16633532899c7b9f2

SHA256
c430a25f9dd256029bdfe10f4be8134ad0917e95b123f71d7d5de0c104b975b6

SHA512
c5ef4f4adb28b043e5e62268fa047b87e51533d834c0b942f3bc90b8f351e053d737fabffc84b363501c53e4749ee524a760c523bcb0e4d782ca58baf58d2171

Download Submit
memory/3140-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3140-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3140-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3140-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3804-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing