b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82

General

Target

b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
Size

132KB
MD5

972c08e8b341ef46a0d7fb453890839c
SHA1

8924bf0ee6444ecdf0e62cc228d394ef132a2370
SHA256

b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82
SHA512

d496a0b6df840e76775822433ebdf1b9ca805fbc3d93e7c50708459698569f0e070cede4aae0073faad00d35a081f4887c4f916fcdd5626f5265d21d5d32f09d
SSDEEP

1536:uvABbebP+9jC8Nf4FctKDNFBQjURgSIXlY4bP5rX5OXSRAKvSr9jSwnf:rbroFctmKcGY+xrJOiRANx2wn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4560	taskhost.exe
1684	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\taskhost.exe"	taskhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 4560 set thread context of 1684	4560	taskhost.exe	81

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1340	4624	WerFault.exe	75
3996	4560	WerFault.exe	79

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 4624 wrote to memory of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 4624 wrote to memory of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 4624 wrote to memory of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 4624 wrote to memory of 1848	4624	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	76
PID 1848 wrote to memory of 4560	1848	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	79
PID 1848 wrote to memory of 4560	1848	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	79
PID 1848 wrote to memory of 4560	1848	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	79
PID 4560 wrote to memory of 1684	4560	taskhost.exe	81
PID 4560 wrote to memory of 1684	4560	taskhost.exe	81
PID 4560 wrote to memory of 1684	4560	taskhost.exe	81
PID 4560 wrote to memory of 1684	4560	taskhost.exe	81
PID 4560 wrote to memory of 1684	4560	taskhost.exe	81

C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
"C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
  C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 308
      4⤵
      Program crash
      PID:3996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 308
  2⤵
  - Program crash
  PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 4624
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4560 -ip 4560
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
memory/1684-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1848-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1848-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1848-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1848-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing