750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667

General

Target

750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe
Size

132KB
MD5

e92b5d7b26b40b5793f466859af6aab4
SHA1

0f4cfa02426e99db89372f0a0387a29f9cd8cb11
SHA256

750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667
SHA512

eee3a9dab90f3023234b760c232febe134084c433b6f4f9305ffc01aac9ce4abf153016d64f604b7d6e7b3daae7e303c4794ba9109a2d0b616dd1f4edb32e907
SSDEEP

1536:yYnYr5dYbuVjajSjJm95llPFct+faAoUt+Qeg6TKVbXNXaBwpkzeqHaQvMzhzYPS:HnjbSVylFctTB9utwwGraQIBYPS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1280	taskhost.exe
2716	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3464 set thread context of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 1280 set thread context of 2716	1280	taskhost.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5052	3464	WerFault.exe	81
396	1280	WerFault.exe	89

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 3464 wrote to memory of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 3464 wrote to memory of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 3464 wrote to memory of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 3464 wrote to memory of 3692	3464	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	85
PID 3692 wrote to memory of 1280	3692	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	89
PID 3692 wrote to memory of 1280	3692	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	89
PID 3692 wrote to memory of 1280	3692	750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe	89
PID 1280 wrote to memory of 2716	1280	taskhost.exe	90
PID 1280 wrote to memory of 2716	1280	taskhost.exe	90
PID 1280 wrote to memory of 2716	1280	taskhost.exe	90
PID 1280 wrote to memory of 2716	1280	taskhost.exe	90
PID 1280 wrote to memory of 2716	1280	taskhost.exe	90

C:\Users\Admin\AppData\Local\Temp\750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe
"C:\Users\Admin\AppData\Local\Temp\750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe
  C:\Users\Admin\AppData\Local\Temp\750aead9b98bea9e751070ecf2035de34558bcf4d7b6156ff18a2f5a13f89667.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 308
      4⤵
      Program crash
      PID:396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 296
  2⤵
  - Program crash
  PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3464 -ip 3464
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1280 -ip 1280
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
2cbe3bc73f7ac9d83bbe93f4a9e4427f

SHA1
cc63bd4c156a50ec0a84e0fc3d51a23560f7eef4

SHA256
8d5800aff6dd10670b81bda5754716e8d97824f72391d036a5e560c69612871d

SHA512
5b7a8830f6c44f2e1b5c961c79ff0f36cf9593def9ea4cd4149eb77d5a78dbacc220168a8bc5c4bec62693bd8b63cd6a75b9e3c0b345b3de9ecdbff43cc0c3d2

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
2cbe3bc73f7ac9d83bbe93f4a9e4427f

SHA1
cc63bd4c156a50ec0a84e0fc3d51a23560f7eef4

SHA256
8d5800aff6dd10670b81bda5754716e8d97824f72391d036a5e560c69612871d

SHA512
5b7a8830f6c44f2e1b5c961c79ff0f36cf9593def9ea4cd4149eb77d5a78dbacc220168a8bc5c4bec62693bd8b63cd6a75b9e3c0b345b3de9ecdbff43cc0c3d2

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
2cbe3bc73f7ac9d83bbe93f4a9e4427f

SHA1
cc63bd4c156a50ec0a84e0fc3d51a23560f7eef4

SHA256
8d5800aff6dd10670b81bda5754716e8d97824f72391d036a5e560c69612871d

SHA512
5b7a8830f6c44f2e1b5c961c79ff0f36cf9593def9ea4cd4149eb77d5a78dbacc220168a8bc5c4bec62693bd8b63cd6a75b9e3c0b345b3de9ecdbff43cc0c3d2

Download Submit
memory/2716-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3692-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing