f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1

Analysis

max time kernel
166s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe
Size

131KB
MD5

40ac16daa9c2f2b8f82b036938b2412a
SHA1

0cc85169d156bd25dab370a2f1bf712f3164ab49
SHA256

f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1
SHA512

5cb7918fb1132a8c45dddbdc65db3d8b1fd2db5a3f95f2b208271c5efbbb40f7509c2c248a5ae49c3c8f9be3b4d95fe64437898a12119cf0c3a3be8f57bd4f84
SSDEEP

3072:lEH+GiEs2SMylNOjyFbxJa5emEIr9E9njkKr3McVmySRyE6Uiowf5:lsehzRFW9rC5vV/SRS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

FLASH.EXEFLASH.EXE

pid process

5024 FLASH.EXE
1164 FLASH.EXE

pid	process
5024	FLASH.EXE
1164	FLASH.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1428 5024 WerFault.exe FLASH.EXE
1840 1164 WerFault.exe FLASH.EXE

pid	pid_target	process	target process
1428	5024	WerFault.exe	FLASH.EXE
1840	1164	WerFault.exe	FLASH.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe

description	pid	process	target process
PID 4320 wrote to memory of 5024	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE
PID 4320 wrote to memory of 5024	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE
PID 4320 wrote to memory of 5024	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE
PID 4320 wrote to memory of 1164	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE
PID 4320 wrote to memory of 1164	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE
PID 4320 wrote to memory of 1164	4320	f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe	FLASH.EXE

C:\Users\Admin\AppData\Local\Temp\f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe
"C:\Users\Admin\AppData\Local\Temp\f0b3fa7def9c4e34fd711d5f82bee8a252eb2e49bb2a032e3ebbf0a0ce45e4e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
2⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 564
3⤵
- Program crash
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
2⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 560
3⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5024 -ip 5024
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1164 -ip 1164
1⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
Filesize
83KB

MD5
95e1f5f720d02aad94f20f057513589c

SHA1
11af5c0af38fa3c69d191b4f617f07f42980a5db

SHA256
2775c0558739a174c21ec9c27a8ebc2f851bd27467c13b11ba65fb1307179205

SHA512
bc6dab455558869175c11ce123d571bbb4eb9de0c971ddff72fc37f0e687fa32ee2711f810dba190ed9403316d442ed52ef6ecc0ad281bb7fadd0ef2a9f7bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
Filesize
83KB

MD5
95e1f5f720d02aad94f20f057513589c

SHA1
11af5c0af38fa3c69d191b4f617f07f42980a5db

SHA256
2775c0558739a174c21ec9c27a8ebc2f851bd27467c13b11ba65fb1307179205

SHA512
bc6dab455558869175c11ce123d571bbb4eb9de0c971ddff72fc37f0e687fa32ee2711f810dba190ed9403316d442ed52ef6ecc0ad281bb7fadd0ef2a9f7bce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FLASH.EXE
Filesize
83KB

MD5
95e1f5f720d02aad94f20f057513589c

SHA1
11af5c0af38fa3c69d191b4f617f07f42980a5db

SHA256
2775c0558739a174c21ec9c27a8ebc2f851bd27467c13b11ba65fb1307179205

SHA512
bc6dab455558869175c11ce123d571bbb4eb9de0c971ddff72fc37f0e687fa32ee2711f810dba190ed9403316d442ed52ef6ecc0ad281bb7fadd0ef2a9f7bce7

Download Submit
memory/1164-136-0x0000000000000000-mapping.dmp

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download
memory/5024-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download