5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

General

Target

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
Size

136KB
MD5

6314acf481191f819a0ebd01d305a1f7
SHA1

42c54a11eec742d8775a4e31c230a2e0842f23cc
SHA256

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3
SHA512

beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d
SSDEEP

3072:mVSMX2hidyId0xJGZDtZiab4NlKy/0g5Ktcu:mlXGidyIKfGZDtZR4NlD5Ktcu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

rundll32.exerundll32.exesvchost.exesvchost.exe

pid process

4900 rundll32.exe
4832 rundll32.exe
992 svchost.exe
8 svchost.exe

pid	process
4900	rundll32.exe
4832	rundll32.exe
992	svchost.exe
8	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host-process Windows (Rundll32.exe) = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32.exe"	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service Host Process for Windows = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\Windows\\system32\\csrss.exe"	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe

Drops file in System32 directory 6 IoCs

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
File created	C:\Windows\SysWOW64\svchost.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
File created	C:\Windows\SysWOW64\csrss.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
File opened for modification	C:\Windows\SysWOW64\csrss.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
File created	C:\Windows\SysWOW64\rundll32.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4804 set thread context of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4900 set thread context of 4832	4900	rundll32.exe	rundll32.exe
PID 992 set thread context of 8	992	svchost.exe	svchost.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1984	4940	WerFault.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
112	4832	WerFault.exe	rundll32.exe
4948	8	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exerundll32.exesvchost.exe

pid	process
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4900	rundll32.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe
992	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exerundll32.exesvchost.exe

pid	process
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
4900	rundll32.exe
4900	rundll32.exe
992	svchost.exe
992	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4804 wrote to memory of 4940	4804	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
PID 4940 wrote to memory of 4900	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	rundll32.exe
PID 4940 wrote to memory of 4900	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	rundll32.exe
PID 4940 wrote to memory of 4900	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4832	4900	rundll32.exe	rundll32.exe
PID 4940 wrote to memory of 992	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	svchost.exe
PID 4940 wrote to memory of 992	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	svchost.exe
PID 4940 wrote to memory of 992	4940	5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe
PID 992 wrote to memory of 8	992	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
"C:\Users\Admin\AppData\Local\Temp\5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
C:\Users\Admin\AppData\Local\Temp\5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3.exe
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Roaming\rundll32.exe
"C:\Users\Admin\AppData\Roaming\rundll32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Roaming\rundll32.exe
C:\Users\Admin\AppData\Roaming\rundll32.exe
4⤵
- Executes dropped EXE
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 800
5⤵
- Program crash
PID:112

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
4⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 704
5⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 680
3⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4940 -ip 4940
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4832 -ip 4832
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 8 -ip 8
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
C:\Users\Admin\AppData\Roaming\rundll32.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
136KB

MD5
6314acf481191f819a0ebd01d305a1f7

SHA1
42c54a11eec742d8775a4e31c230a2e0842f23cc

SHA256
5988ca6923d4668970411878931bc3dd09fadbdcb267533108bcc3869b33e5c3

SHA512
beb509d721f0f987d236f9bb87fb95ae9470c93a6ce6efd9ec03213b6d9267eacafec8d364701c1391f37868222a1bda59c880217ac455bfeb1aa602f7fc634d

Download Submit
memory/8-156-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/8-151-0x0000000000000000-mapping.dmp

Download
memory/8-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/992-146-0x0000000000000000-mapping.dmp

Download
memory/4804-134-0x0000000003A60000-0x0000000003A64000-memory.dmp

Filesize
16KB

Download
memory/4832-140-0x0000000000000000-mapping.dmp

Download
memory/4832-150-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4900-137-0x0000000000000000-mapping.dmp

Download
memory/4940-149-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4940-132-0x0000000000000000-mapping.dmp

Download
memory/4940-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4940-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads