c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142

General

Target

c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe
Size

96KB
MD5

105002807ce3560d5bf46b3c1d6eea91
SHA1

95179c3cbee3863b790de26606fa40b3b84fc25d
SHA256

c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142
SHA512

6fc99a536ec28afe8fa3d4b15cc523bbafde5467939704033377e60507c8e1e7a97eb221938c28032b00179748bce645dc5c2b7ab89abf411b2b4a325f27b5f4
SSDEEP

1536:J8fGHUrKRtrhcamH7XVkEmiSngrR92SjuJ7cPcj3CnisY3A2ro4dxti/:8GH2KRXc3blXmtnitjuJG6SisYQT4b4/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3920	taskhost.exe
2348	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 3920 set thread context of 2348	3920	taskhost.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2064	2236	WerFault.exe	82
2952	3920	WerFault.exe	85

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 2236 wrote to memory of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 2236 wrote to memory of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 2236 wrote to memory of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 2236 wrote to memory of 3540	2236	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	83
PID 3540 wrote to memory of 3920	3540	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	85
PID 3540 wrote to memory of 3920	3540	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	85
PID 3540 wrote to memory of 3920	3540	c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe	85
PID 3920 wrote to memory of 2348	3920	taskhost.exe	86
PID 3920 wrote to memory of 2348	3920	taskhost.exe	86
PID 3920 wrote to memory of 2348	3920	taskhost.exe	86
PID 3920 wrote to memory of 2348	3920	taskhost.exe	86
PID 3920 wrote to memory of 2348	3920	taskhost.exe	86

C:\Users\Admin\AppData\Local\Temp\c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe
"C:\Users\Admin\AppData\Local\Temp\c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe
  C:\Users\Admin\AppData\Local\Temp\c39879a479e0871efe2eb6724ed0342bb29f42f0677a56b84bde860c3bd16142.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:2348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 296
      4⤵
      Program crash
      PID:2952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 308
  2⤵
  - Program crash
  PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2236 -ip 2236
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3920 -ip 3920
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
6d056c4d9d6f914bd0fbcd17c3eeef6e

SHA1
e4825e1a2b59ef5b9db10ce3ade24125caef69be

SHA256
983e86d0752a046305402cd3fd4b2ce9899c064e9f5d5e28e57f430ecd6925e9

SHA512
27fa81abe560fe310dc673bba15efcc0927d69fa5ebae977d36a7ba903461d222e5d8d24291ac713799dba96a374a1ff2ce42ff0c50dbe178a98133657fdd748

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
6d056c4d9d6f914bd0fbcd17c3eeef6e

SHA1
e4825e1a2b59ef5b9db10ce3ade24125caef69be

SHA256
983e86d0752a046305402cd3fd4b2ce9899c064e9f5d5e28e57f430ecd6925e9

SHA512
27fa81abe560fe310dc673bba15efcc0927d69fa5ebae977d36a7ba903461d222e5d8d24291ac713799dba96a374a1ff2ce42ff0c50dbe178a98133657fdd748

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
6d056c4d9d6f914bd0fbcd17c3eeef6e

SHA1
e4825e1a2b59ef5b9db10ce3ade24125caef69be

SHA256
983e86d0752a046305402cd3fd4b2ce9899c064e9f5d5e28e57f430ecd6925e9

SHA512
27fa81abe560fe310dc673bba15efcc0927d69fa5ebae977d36a7ba903461d222e5d8d24291ac713799dba96a374a1ff2ce42ff0c50dbe178a98133657fdd748

Download Submit
memory/2348-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2348-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2348-145-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3540-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3540-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3540-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3540-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing