3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334

General

Target

3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
Size

132KB
MD5

29e56290b671dc623d223ff0473dfa90
SHA1

e0a5553a01d4ca86f6bc307065b791429fdd7d57
SHA256

3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334
SHA512

79c0632b5b2846f220ee137278a8406bf7cd7880cd548cf000f9089a2255ef0937a6924efd4db6522dfd19df2fcd74bba389b108e9a38389135bc2db0afed63e
SSDEEP

1536:AcNs9OIbKQ7usjxpM4Is5ctj4AN/r4TJHpL016gIZkuGtiJPpK+WN/F+/YAPd2xU:JA3bL1I6ctj4Ys216ysLKnNdc22P

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
560	taskhost.exe
660	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 560 set thread context of 660	560	taskhost.exe	87

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3660	1340	WerFault.exe	82
1932	1340	WerFault.exe	82
3864	560	WerFault.exe	86

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 1340 wrote to memory of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 1340 wrote to memory of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 1340 wrote to memory of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 1340 wrote to memory of 2232	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	83
PID 2232 wrote to memory of 560	2232	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	86
PID 2232 wrote to memory of 560	2232	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	86
PID 2232 wrote to memory of 560	2232	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	86
PID 560 wrote to memory of 660	560	taskhost.exe	87
PID 560 wrote to memory of 660	560	taskhost.exe	87
PID 560 wrote to memory of 660	560	taskhost.exe	87
PID 560 wrote to memory of 660	560	taskhost.exe	87
PID 560 wrote to memory of 660	560	taskhost.exe	87
PID 1340 wrote to memory of 3660	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	89
PID 1340 wrote to memory of 3660	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	89
PID 1340 wrote to memory of 3660	1340	3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe	89

C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
"C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
  C:\Users\Admin\AppData\Local\Temp\3ab8de692508d38862911456e4fca5cca2e70f07679070199498295ca957e334.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 292
      4⤵
      Program crash
      PID:3864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 276
  2⤵
  - Program crash
  PID:3660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 276
  2⤵
  - Program crash
  PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 560 -ip 560
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
6cbb07d9917c361003f2bb23608f8dde

SHA1
cbae96e139824c80ebc7baf2a9b40795547c93f8

SHA256
3de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226

SHA512
99f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
6cbb07d9917c361003f2bb23608f8dde

SHA1
cbae96e139824c80ebc7baf2a9b40795547c93f8

SHA256
3de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226

SHA512
99f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
6cbb07d9917c361003f2bb23608f8dde

SHA1
cbae96e139824c80ebc7baf2a9b40795547c93f8

SHA256
3de084b1ede7d9d491797db41086d29072d15ca3700e7fa156d40247eb59d226

SHA512
99f2c88934204cd6d791f198709f4e3ab11a421e0a4b7e6364a03d2fcab021a5e63424000ba72525e9878ab5df73be3734bf0814002f2fdfd174d16d44ebbbec

Download Submit
memory/660-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/660-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/660-146-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing