25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143

General

Target

25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe
Size

96KB
MD5

839a8b38e411c5816345f457fddbf9eb
SHA1

7e6830e95825123123c3a99c340bea69c15c85c3
SHA256

25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143
SHA512

f308182b142523af0d4a0fd7ea9a8bed6b01b18ae371c4166ff312a2a0f534fa7f003c7276b6e0fa04a7e42df7eff1f3d8c0383f2823f9c7883508e877b00431
SSDEEP

1536:komALFDs+Kg2ORhfPe5lEA2CgnufjuUwfisAqBMh89CFMV2yaVUGz/:TmAe8/IlEA2Cgg1GisLBp9CEMUe/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4440	taskhost.exe
204	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3720 set thread context of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 4440 set thread context of 204	4440	taskhost.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4544	3720	WerFault.exe	82
3664	4440	WerFault.exe	85

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 3720 wrote to memory of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 3720 wrote to memory of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 3720 wrote to memory of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 3720 wrote to memory of 3388	3720	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	83
PID 3388 wrote to memory of 4440	3388	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	85
PID 3388 wrote to memory of 4440	3388	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	85
PID 3388 wrote to memory of 4440	3388	25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe	85
PID 4440 wrote to memory of 204	4440	taskhost.exe	86
PID 4440 wrote to memory of 204	4440	taskhost.exe	86
PID 4440 wrote to memory of 204	4440	taskhost.exe	86
PID 4440 wrote to memory of 204	4440	taskhost.exe	86
PID 4440 wrote to memory of 204	4440	taskhost.exe	86

C:\Users\Admin\AppData\Local\Temp\25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe
"C:\Users\Admin\AppData\Local\Temp\25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe
  C:\Users\Admin\AppData\Local\Temp\25259e604e8fac89dc0a804b90d4996d283e80a7b1767aed5e1e3d5512729143.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 296
      4⤵
      Program crash
      PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 308
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3720 -ip 3720
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4440 -ip 4440
1⤵
PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
d3c38ef393cb6c38bd884ba4c26e09ca

SHA1
9f61ac0fa7629f47fe6fde8eca4f9f25da1a5ede

SHA256
65386a92d5c520b88c8cbde869aac672b94682a9322796e5c98535f284daa3bd

SHA512
e8a2b9272a4598b8fcac035afc25b0a41f3269abfec4ee23a7423e3a165b61a7bbe5436926cc9f78b2958bba40c1f5853ca1426fd46d556f491303d6861f44e2

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
d3c38ef393cb6c38bd884ba4c26e09ca

SHA1
9f61ac0fa7629f47fe6fde8eca4f9f25da1a5ede

SHA256
65386a92d5c520b88c8cbde869aac672b94682a9322796e5c98535f284daa3bd

SHA512
e8a2b9272a4598b8fcac035afc25b0a41f3269abfec4ee23a7423e3a165b61a7bbe5436926cc9f78b2958bba40c1f5853ca1426fd46d556f491303d6861f44e2

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
d3c38ef393cb6c38bd884ba4c26e09ca

SHA1
9f61ac0fa7629f47fe6fde8eca4f9f25da1a5ede

SHA256
65386a92d5c520b88c8cbde869aac672b94682a9322796e5c98535f284daa3bd

SHA512
e8a2b9272a4598b8fcac035afc25b0a41f3269abfec4ee23a7423e3a165b61a7bbe5436926cc9f78b2958bba40c1f5853ca1426fd46d556f491303d6861f44e2

Download Submit
memory/204-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/204-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3388-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing