ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff

General

Target

ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe
Size

132KB
MD5

3f40571ea40450e6f8cbb21fbe1bdbda
SHA1

12ae1bdcbc054cc66debe3c879f1bd88e284c8f8
SHA256

ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff
SHA512

411da5e3acde77f97577587837834c09f674fc16ed8a809ecf252f90f2c920cf8f213fb9798a1d5980a8fb16fd57c5f03ebfb24299b3c434cf97900abba009c3
SSDEEP

1536:y9nYr5dYbuVjajSjJm95llPFct+faAoUt+Qeg6TKVbXNXaBwpkzeqHaQvMzhzYPS:injbSVylFctTB9utwwGraQIBYPS

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1232	taskhost.exe
4032	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 1232 set thread context of 4032	1232	taskhost.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4000	5048	WerFault.exe	80
2764	1232	WerFault.exe	83

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 5048 wrote to memory of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 5048 wrote to memory of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 5048 wrote to memory of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 5048 wrote to memory of 1140	5048	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	81
PID 1140 wrote to memory of 1232	1140	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	83
PID 1140 wrote to memory of 1232	1140	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	83
PID 1140 wrote to memory of 1232	1140	ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe	83
PID 1232 wrote to memory of 4032	1232	taskhost.exe	85
PID 1232 wrote to memory of 4032	1232	taskhost.exe	85
PID 1232 wrote to memory of 4032	1232	taskhost.exe	85
PID 1232 wrote to memory of 4032	1232	taskhost.exe	85
PID 1232 wrote to memory of 4032	1232	taskhost.exe	85

C:\Users\Admin\AppData\Local\Temp\ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe
"C:\Users\Admin\AppData\Local\Temp\ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe
  C:\Users\Admin\AppData\Local\Temp\ca368c189732eca100adf6e6392c6fd3b5e23b7423462b8025a6c64c814a95ff.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      PID:4032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 320
      4⤵
      Program crash
      PID:2764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 320
  2⤵
  - Program crash
  PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5048 -ip 5048
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1232 -ip 1232
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
ab04088936c8f09926028ba7a87a6dd4

SHA1
640b8cefb05e7e91fafc84cd605c65f5024d030f

SHA256
d02de1b9959d5d9cef6d8032e69362320c3afc1b9b7f563a0cac3437a88dd0d3

SHA512
2ea362ee30c8b14e1b4227bef665f1130aeef2e5f24cb4aec5325d04bf48a331e06c2f8cabf6e69bea0d471165e67f546b61f515afce8c4af7c0186b53cbb641

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
ab04088936c8f09926028ba7a87a6dd4

SHA1
640b8cefb05e7e91fafc84cd605c65f5024d030f

SHA256
d02de1b9959d5d9cef6d8032e69362320c3afc1b9b7f563a0cac3437a88dd0d3

SHA512
2ea362ee30c8b14e1b4227bef665f1130aeef2e5f24cb4aec5325d04bf48a331e06c2f8cabf6e69bea0d471165e67f546b61f515afce8c4af7c0186b53cbb641

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
132KB

MD5
ab04088936c8f09926028ba7a87a6dd4

SHA1
640b8cefb05e7e91fafc84cd605c65f5024d030f

SHA256
d02de1b9959d5d9cef6d8032e69362320c3afc1b9b7f563a0cac3437a88dd0d3

SHA512
2ea362ee30c8b14e1b4227bef665f1130aeef2e5f24cb4aec5325d04bf48a331e06c2f8cabf6e69bea0d471165e67f546b61f515afce8c4af7c0186b53cbb641

Download Submit
memory/1140-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1140-144-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4032-142-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4032-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing