9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

General

Target

9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe
Size

1.8MB
MD5

99ba50fea2e8f47619b77ec74d562e1c
SHA1

017d72654d254f46de346efaad0a9b0937f38a60
SHA256

9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625
SHA512

5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad
SSDEEP

49152:RvpZYsaHqe9AQhlPiTPi/3OQBipYI46GUA:RvpZuqe9AQhlPiTPi/3OQBipYI46GUA

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

windll.exe

pid process

956 windll.exe

pid	process
956	windll.exe

Loads dropped DLL 5 IoCs

Processes:

9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exeWerFault.exe

pid	process
1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe
1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe
1288	WerFault.exe
1288	WerFault.exe
1288	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exewindll.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Processor = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\windll.exe"	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Processor = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\windll.exe"	windll.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1288 956 WerFault.exe windll.exe

pid	pid_target	process	target process
1288	956	WerFault.exe	windll.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exewindll.exe

description	pid	process	target process
PID 1168 wrote to memory of 956	1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe	windll.exe
PID 1168 wrote to memory of 956	1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe	windll.exe
PID 1168 wrote to memory of 956	1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe	windll.exe
PID 1168 wrote to memory of 956	1168	9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe	windll.exe
PID 956 wrote to memory of 1288	956	windll.exe	WerFault.exe
PID 956 wrote to memory of 1288	956	windll.exe	WerFault.exe
PID 956 wrote to memory of 1288	956	windll.exe	WerFault.exe
PID 956 wrote to memory of 1288	956	windll.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe
"C:\Users\Admin\AppData\Local\Temp\9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Roaming\updater\windll.exe
"C:\Users\Admin\AppData\Roaming\updater\windll.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 164
3⤵
- Loads dropped DLL
- Program crash
PID:1288

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
\Users\Admin\AppData\Roaming\updater\windll.exe
Filesize
1.8MB

MD5
99ba50fea2e8f47619b77ec74d562e1c

SHA1
017d72654d254f46de346efaad0a9b0937f38a60

SHA256
9fda75c77ed5e6d8f673aa4c1582d5497dd9f8958199e28997b0f3befaf4b625

SHA512
5f52e07673adbd6132c05873266c3a25770387bdb64e5a8452f7acea526e1b6809e50ba62522f07b98bcfe1a9942c3b52eeb14688d6391e2f61fb6cd31a2bcad

Download Submit
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-63-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1288-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads