baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01

General

Target

baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
Size

96KB
MD5

4be1ac9452947d3000daca209972d3cc
SHA1

595d3d653581f70b02c9510d76d4b7a70df73e10
SHA256

baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01
SHA512

2b11d8a798e988aa910d25bbebf55f251f354e659d9a5f4d505dffd9e21f7582c7ca2163fb2971a056fa958a67dc6710382a986348161939cc3a11e37138e0f0
SSDEEP

1536:S2dX/KGcry9vASJJ2DbxN4j+s+Ci5d5lIE1ppxRp9bDEvLlIAA31cviZi/:d/V2yVHsQjN+Ci9l5Zp5SIAA3LZi/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2124	taskhost.exe
3820	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 2124 set thread context of 3820	2124	taskhost.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4704	4244	WerFault.exe	79
2288	2124	WerFault.exe	82

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 4244 wrote to memory of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 4244 wrote to memory of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 4244 wrote to memory of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 4244 wrote to memory of 3280	4244	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	80
PID 3280 wrote to memory of 2124	3280	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	82
PID 3280 wrote to memory of 2124	3280	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	82
PID 3280 wrote to memory of 2124	3280	baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe	82
PID 2124 wrote to memory of 3820	2124	taskhost.exe	85
PID 2124 wrote to memory of 3820	2124	taskhost.exe	85
PID 2124 wrote to memory of 3820	2124	taskhost.exe	85
PID 2124 wrote to memory of 3820	2124	taskhost.exe	85
PID 2124 wrote to memory of 3820	2124	taskhost.exe	85

C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
"C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
  C:\Users\Admin\AppData\Local\Temp\baa38e1a42600a3e470b469c423740c383bc0f0cd35b5e794bd8bfec26105e01.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:3820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 296
      4⤵
      Program crash
      PID:2288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 300
  2⤵
  - Program crash
  PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4244 -ip 4244
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2124 -ip 2124
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
413eb4df6fca058373d2e07edabb1ef2

SHA1
71d23bf40422d8b0815d87f4e5f99f47c3912334

SHA256
1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

SHA512
981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
413eb4df6fca058373d2e07edabb1ef2

SHA1
71d23bf40422d8b0815d87f4e5f99f47c3912334

SHA256
1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

SHA512
981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
413eb4df6fca058373d2e07edabb1ef2

SHA1
71d23bf40422d8b0815d87f4e5f99f47c3912334

SHA256
1f28e884b043bbb340954fdd59a8efcf8fc9494cade4f83144fe57e7ac0f142a

SHA512
981377df10be155d3da647be0b25c8d6188737b078780b3d2d1a76b75b356b6c4258fa5695aaf5064928ba19d78ee1cf1f7654aefa3cb2793c833661c0418ccc

Download Submit
memory/3280-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3280-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3280-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3280-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3820-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing