9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635

General

Target

9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe
Size

118KB
MD5

ff45cd54f807e15aa5d55c51ad4fc949
SHA1

35d19024bd08b379b3f78d8444acea3ec3932ea4
SHA256

9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635
SHA512

c96d261acbf0d1a0e8fd9ca9070d0a443277442b9391fe42070d657c9a270820c554c8176e8d72be3043591ab3763c5590716efa4959301596bdbd1ecc28cabe
SSDEEP

3072:pLWTEiR+gctabvQuKbtG3ftk3j30lQqAB1kO0exnr:pLWiYTQPG3VQya6O0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	x9el0.exe
1788	x9el0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5k4ffdabvh = "C:\\Users\\Admin\\AppData\\Roaming\\x9el0.exe"	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 1480 set thread context of 1788	1480	x9el0.exe	86

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4928	928	WerFault.exe	79
4700	1480	WerFault.exe	85
2696	1480	WerFault.exe	85
4696	928	WerFault.exe	79

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 928 wrote to memory of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 928 wrote to memory of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 928 wrote to memory of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 928 wrote to memory of 4828	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	81
PID 928 wrote to memory of 4928	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	84
PID 928 wrote to memory of 4928	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	84
PID 928 wrote to memory of 4928	928	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	84
PID 4828 wrote to memory of 1480	4828	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	85
PID 4828 wrote to memory of 1480	4828	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	85
PID 4828 wrote to memory of 1480	4828	9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe	85
PID 1480 wrote to memory of 1788	1480	x9el0.exe	86
PID 1480 wrote to memory of 1788	1480	x9el0.exe	86
PID 1480 wrote to memory of 1788	1480	x9el0.exe	86
PID 1480 wrote to memory of 1788	1480	x9el0.exe	86
PID 1480 wrote to memory of 1788	1480	x9el0.exe	86
PID 1480 wrote to memory of 4700	1480	x9el0.exe	88
PID 1480 wrote to memory of 4700	1480	x9el0.exe	88
PID 1480 wrote to memory of 4700	1480	x9el0.exe	88

C:\Users\Admin\AppData\Local\Temp\9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe
"C:\Users\Admin\AppData\Local\Temp\9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe
  C:\Users\Admin\AppData\Local\Temp\9e4d266fc5103fea30210552a5cea75732f1e93025f8b5fd598562fe8e8fa635.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Roaming\x9el0.exe
    C:\Users\Admin\AppData\Roaming\x9el0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Roaming\x9el0.exe
      C:\Users\Admin\AppData\Roaming\x9el0.exe
      4⤵
      Executes dropped EXE
      PID:1788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 292
      4⤵
      Program crash
      PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 292
      4⤵
      Program crash
      PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 292
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 292
  2⤵
  - Program crash
  PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 928 -ip 928
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1480 -ip 1480
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
db6e6edac3662e234e769047efc8d9d8

SHA1
b357e499125798d6520c6174ca5fa4e90558d012

SHA256
deefa6bbec92802e8ff9f2168972bf380a4ff4418842dd70e9ab65e19065af42

SHA512
59dc752dcf859c5e88796af6bb3c303fa6cadb2830fa8643a8ccc06798e02f828a5b4533a10026e5fd5b10b21415d804c54d95c43e47d0e3a45646a5d6d4592e

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
db6e6edac3662e234e769047efc8d9d8

SHA1
b357e499125798d6520c6174ca5fa4e90558d012

SHA256
deefa6bbec92802e8ff9f2168972bf380a4ff4418842dd70e9ab65e19065af42

SHA512
59dc752dcf859c5e88796af6bb3c303fa6cadb2830fa8643a8ccc06798e02f828a5b4533a10026e5fd5b10b21415d804c54d95c43e47d0e3a45646a5d6d4592e

Download Submit
C:\Users\Admin\AppData\Roaming\x9el0.exe

Filesize
118KB

MD5
db6e6edac3662e234e769047efc8d9d8

SHA1
b357e499125798d6520c6174ca5fa4e90558d012

SHA256
deefa6bbec92802e8ff9f2168972bf380a4ff4418842dd70e9ab65e19065af42

SHA512
59dc752dcf859c5e88796af6bb3c303fa6cadb2830fa8643a8ccc06798e02f828a5b4533a10026e5fd5b10b21415d804c54d95c43e47d0e3a45646a5d6d4592e

Download Submit
memory/1788-144-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1788-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-135-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing