74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

General

Target

74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe
Size

18KB
MD5

cf10800f44769adb7fa525144b9bc112
SHA1

162e236956778f48dad90b57798e9c3d84059aee
SHA256

74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4
SHA512

67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210
SSDEEP

384:+qh9iywwHkhoTT45gMkmKk7GY1ISpZWwnU4OF1O:d3iy5NM1kmp7GY1RKwnU4ObO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
652	wualct.exe

Deletes itself 1 IoCs

pid	Process
652	wualct.exe

Loads dropped DLL 5 IoCs

pid	Process
1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe
1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe
1028	WerFault.exe
1028	WerFault.exe
1028	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sudp = "C:\\ProgramData\\wualct.exe"	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	652	WerFault.exe	28

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 652	1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe	28
PID 1636 wrote to memory of 652	1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe	28
PID 1636 wrote to memory of 652	1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe	28
PID 1636 wrote to memory of 652	1636	74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe	28
PID 652 wrote to memory of 1028	652	wualct.exe	30
PID 652 wrote to memory of 1028	652	wualct.exe	30
PID 652 wrote to memory of 1028	652	wualct.exe	30
PID 652 wrote to memory of 1028	652	wualct.exe	30

C:\Users\Admin\AppData\Local\Temp\74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe
"C:\Users\Admin\AppData\Local\Temp\74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\ProgramData\wualct.exe
  C:\ProgramData\wualct.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 556
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP110509.tmp

Filesize
102B

MD5
2cb8a89c98001f5eac9df73a60b8585e

SHA1
5e043b6361f728a1fba6f9d86b83064a6304ccdf

SHA256
a0ff1440bc77f3c14caf22d2e54e6f350c0c529f7c9cde566c986b94e7eafabe

SHA512
eb62e499752dfcd3b6d3ed1f5fbabb912c70b75e116445d0b5683793fdf4dd1a585bf888e9dccb9b0b8434f518ad0333325cf6e568275fd607423df526e406a7

Download Submit
\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
\ProgramData\wualct.exe

Filesize
18KB

MD5
cf10800f44769adb7fa525144b9bc112

SHA1
162e236956778f48dad90b57798e9c3d84059aee

SHA256
74a0e6da85b94805b9d18cba20714843350ad807d5d7c9398eb4d90c9114d7f4

SHA512
67b51c9e589016189a95fbc67a7bb7aa77465f514885e3d96424418358582752139e40183962d580ac52ff7629c1d3ff6fb7c7f69d04e95f8d1f1b1f6c338210

Download Submit
memory/1636-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing