b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8

General

Target

b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
Size

103KB
MD5

56ee52297271c6b93d6dae8d68c38c5d
SHA1

092a21b90b23d65a841f7178e00d1ad5996cba84
SHA256

b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8
SHA512

bd15ad2fe47018639629ed1286638e7dee4381a0c07a5f0fa9b84c6b08f77fc92fb099a4c560666565e894005778479433357f589f7a5d433959ce51480f0849
SSDEEP

1536:V5neEhlcTW5sk1jtf2XvWINndIcN6Jdas5gPzCz4uQu801JXDkaDuX3ePTE0Q55r:3nj9jtfU+INndIc0J15lzfQ90prbTYQ4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3604	TINYBO~1.EXE
2240	project1.exe
4224	project1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 4224	2240	project1.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3788	4224	WerFault.exe	88

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3604	TINYBO~1.EXE
2240	project1.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3604	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	84
PID 2004 wrote to memory of 3604	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	84
PID 2004 wrote to memory of 3604	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	84
PID 2004 wrote to memory of 2240	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	87
PID 2004 wrote to memory of 2240	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	87
PID 2004 wrote to memory of 2240	2004	b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe	87
PID 2240 wrote to memory of 4224	2240	project1.exe	88
PID 2240 wrote to memory of 4224	2240	project1.exe	88
PID 2240 wrote to memory of 4224	2240	project1.exe	88
PID 2240 wrote to memory of 4224	2240	project1.exe	88
PID 2240 wrote to memory of 4224	2240	project1.exe	88
PID 2240 wrote to memory of 4224	2240	project1.exe	88

C:\Users\Admin\AppData\Local\Temp\b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe
"C:\Users\Admin\AppData\Local\Temp\b5f2b0792458578829f2c0f3bc8b4154c903f516b5e154223f38e5c6c3ced3a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe
    3⤵
    - Executes dropped EXE
    PID:4224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 588
      4⤵
      Program crash
      PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4224 -ip 4224
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TINYBO~1.EXE

Filesize
44KB

MD5
276a7b13b3aa0b2125568623a4d67e0c

SHA1
5f72a7307cf108516bfa5945825ef4fd994f4229

SHA256
dd91f5695299ec964f02c2921b79d5fdcb0fe21b7df7a27232f43c18b87305df

SHA512
cc0c43acb8e378057c404aeacde8faaecdde29fc7dfe33bed8e846bd0c3b908c862c852ac761ff787e858d4a62f4788bf606441b7a2524d4194c828e5f5a21db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\project1.exe

Filesize
80KB

MD5
f0ffa4f9bb5eb4dc69975cbcbdee2853

SHA1
e50798d049993b3ff9c6a6febb351af87c70a187

SHA256
19b3a9ffdf948d11aaf8a6521fa6b897edc5618c24ac2e3e082f38d36f4faa67

SHA512
7c3ffc6b38e27b42e168be4f4063522f83fade4281e6678f47538b2a4780b5bc3c3159cc66527dfd7c1e0e7a5bc4fbfd94ae062cbade6f9719dea006f89a0177

Download Submit
memory/4224-143-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4224-146-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4224-147-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing