7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51

General

Target

7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe
Size

96KB
MD5

4d30e5f2c7fa3928aac7c47eaf1f4763
SHA1

383940776bc833aefb5754e37ad36b1521cccf54
SHA256

7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51
SHA512

4904dd1eddcbae07ddfa8507e8f2a7a5ac6f58b7dfa03c75be281054bcda10636f9e7447a1765c7b6220a99ef218f3282863f85bd8bd48cd4409f43d0c511c04
SSDEEP

1536:VIQ1MUEiRAdUXX7aM++Pu58WOYcITw8PAkRXyeBvPgGaX/:uqM+RAg/+3nOYcArP3x7vPgZ/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2580	taskhost.exe
5108	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\taskhost.exe"	taskhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 2580 set thread context of 5108	2580	taskhost.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3796	2300	WerFault.exe	83
3576	2580	WerFault.exe	86

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 2300 wrote to memory of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 2300 wrote to memory of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 2300 wrote to memory of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 2300 wrote to memory of 1324	2300	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	84
PID 1324 wrote to memory of 2580	1324	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	86
PID 1324 wrote to memory of 2580	1324	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	86
PID 1324 wrote to memory of 2580	1324	7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe	86
PID 2580 wrote to memory of 5108	2580	taskhost.exe	88
PID 2580 wrote to memory of 5108	2580	taskhost.exe	88
PID 2580 wrote to memory of 5108	2580	taskhost.exe	88
PID 2580 wrote to memory of 5108	2580	taskhost.exe	88
PID 2580 wrote to memory of 5108	2580	taskhost.exe	88

C:\Users\Admin\AppData\Local\Temp\7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe
"C:\Users\Admin\AppData\Local\Temp\7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe
  C:\Users\Admin\AppData\Local\Temp\7dae2dead47e1f39ccbf4a95fdfb038fff84e1058462aee2a3e3bdb169f4de51.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\taskhost.exe
    C:\Users\Admin\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\taskhost.exe
      C:\Users\Admin\taskhost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 320
      4⤵
      Program crash
      PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 324
  2⤵
  - Program crash
  PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2300 -ip 2300
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2580 -ip 2580
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\taskhost.exe

Filesize
96KB

MD5
2b8d596ce4376cda6ea91c452b93b8c4

SHA1
2dc6fbc757719e7ab4c4490329a12dee52e3d2fc

SHA256
7fe62857d6e89ef021288d0ae57b7e50af060ff5f632c4b70fc53431796e4b3f

SHA512
e0558d6f47cfc7fb4b0778d1b6e25f6f42002c248139c863f218b1f1fdbf811eb41f4e07d0e75454a9c42c748de77fcd6ddbdd498d81e7e325e1668c9deae37e

Download Submit
C:\Users\Admin\taskhost.exe

Filesize
96KB

MD5
2b8d596ce4376cda6ea91c452b93b8c4

SHA1
2dc6fbc757719e7ab4c4490329a12dee52e3d2fc

SHA256
7fe62857d6e89ef021288d0ae57b7e50af060ff5f632c4b70fc53431796e4b3f

SHA512
e0558d6f47cfc7fb4b0778d1b6e25f6f42002c248139c863f218b1f1fdbf811eb41f4e07d0e75454a9c42c748de77fcd6ddbdd498d81e7e325e1668c9deae37e

Download Submit
C:\Users\Admin\taskhost.exe

Filesize
96KB

MD5
2b8d596ce4376cda6ea91c452b93b8c4

SHA1
2dc6fbc757719e7ab4c4490329a12dee52e3d2fc

SHA256
7fe62857d6e89ef021288d0ae57b7e50af060ff5f632c4b70fc53431796e4b3f

SHA512
e0558d6f47cfc7fb4b0778d1b6e25f6f42002c248139c863f218b1f1fdbf811eb41f4e07d0e75454a9c42c748de77fcd6ddbdd498d81e7e325e1668c9deae37e

Download Submit
memory/1324-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1324-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1324-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1324-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5108-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5108-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5108-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing