b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8

Analysis

max time kernel
104s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
Size

103KB
MD5

56ee52297271c6b93d6dae8d68c38c5d
SHA1

092a21b90b23d65a841f7178e00d1ad5996cba84
SHA256

b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8
SHA512

bd15ad2fe47018639629ed1286638e7dee4381a0c07a5f0fa9b84c6b08f77fc92fb099a4c560666565e894005778479433357f589f7a5d433959ce51480f0849
SSDEEP

1536:V5neEhlcTW5sk1jtf2XvWINndIcN6Jdas5gPzCz4uQu801JXDkaDuX3ePTE0Q55r:3nj9jtfU+INndIc0J15lzfQ90prbTYQ4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1352	TINYBO~1.EXE
1104	project1.exe
108	project1.exe

Loads dropped DLL 13 IoCs

pid	Process
1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
1352	TINYBO~1.EXE
1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
1104	project1.exe
1104	project1.exe
108	project1.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe
1540	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 108	1104	project1.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	108	WerFault.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	TINYBO~1.EXE
1104	project1.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1352	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	28
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1516 wrote to memory of 1104	1516	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	29
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 1104 wrote to memory of 108	1104	project1.exe	30
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31
PID 108 wrote to memory of 1540	108	project1.exe	31

C:\Users\Admin\AppData\Local\Temp\b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
"C:\Users\Admin\AppData\Local\Temp\b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 268
      4⤵
      Loads dropped DLL
      Program crash
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
memory/108-74-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/108-81-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/108-84-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/108-77-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/108-75-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1516-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download