a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504

Analysis

max time kernel
239s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 08:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe
Size

640KB
MD5

47e66d5afcb29b3b6c5f0e58619da988
SHA1

916666ee36a0e3b13683dc182590b92c6852bc1c
SHA256

a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504
SHA512

f7622a8ef9bef75e74ef3278a5a9d830dca4e0d47d06bdd4d022a85fa1a71725482c1282a4cb8a0fda4ce2e03ce659cbb5e5e5dcf5e623c25155ead0019a5f19
SSDEEP

12288:C3CTAR8mQ9f6hbaDUSIaVKWtu9RF3Z4mxx3k+ojAnCWk5ng:Cz8FlYbdL5Wtu9RQmX3hnsg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3800	0_lh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4324	3800	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3800	4476	a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe	81
PID 4476 wrote to memory of 3800	4476	a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe	81
PID 4476 wrote to memory of 3800	4476	a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe	81

C:\Users\Admin\AppData\Local\Temp\a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe
"C:\Users\Admin\AppData\Local\Temp\a270a7e220fe0461c4a5f42c4401e650c1959f76e1b5d7feab6490f28fac8504.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0_lh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0_lh.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 628
    3⤵
    - Program crash
    PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3800 -ip 3800
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0_lh.exe

Filesize
277KB

MD5
401e434b57a622ef8c58720ad45ca1d8

SHA1
4ec828aa0c82c5b8c3faacb28afeb321181599c5

SHA256
34edaff67aa0e1c049973f88971baf12af0a141553d9ed351a09bf57741d93db

SHA512
0b6995f30537e94f0e63c881d8a69d0b1a504309e02ed70446191e1df38c2f88c66fd7cccb5191c2a22ea334f731e2c672ba31c1c8c84da56bdd951150f0a48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0_lh.exe

Filesize
277KB

MD5
401e434b57a622ef8c58720ad45ca1d8

SHA1
4ec828aa0c82c5b8c3faacb28afeb321181599c5

SHA256
34edaff67aa0e1c049973f88971baf12af0a141553d9ed351a09bf57741d93db

SHA512
0b6995f30537e94f0e63c881d8a69d0b1a504309e02ed70446191e1df38c2f88c66fd7cccb5191c2a22ea334f731e2c672ba31c1c8c84da56bdd951150f0a48d

Download Submit
memory/3800-138-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4476-132-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download
memory/4476-136-0x00000000005C0000-0x0000000000614000-memory.dmp

Filesize
336KB

Download
memory/4476-137-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/4476-139-0x00000000005C0000-0x0000000000614000-memory.dmp

Filesize
336KB

Download
memory/4476-140-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download