a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe
Size

6.2MB
MD5

73f677880519b0012d2bbd056af570f0
SHA1

11032ce975e80fba6a57e964ccf1b492856bcc6a
SHA256

a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e
SHA512

42fd137d8c63a628e542cfc524e56d1aed9f1af7fbebddf354525838265825d7bfd14c74201db63388b95d059a19744888a64dcfd69a41a40b4f12747b386f6c
SSDEEP

98304:SaquKNuf8y9UaFOjpg/LZ/8CQhwjEpWUs+RDVSdimxurabSqTC6+97bRvGAULi:SnuKmh9NOuLZZjwY+udimJJ+97FVULi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1284	Setup_00.exe
1744	LC.exe

Loads dropped DLL 12 IoCs

pid	Process
1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe
1284	Setup_00.exe
1284	Setup_00.exe
1284	Setup_00.exe
1284	Setup_00.exe
1284	Setup_00.exe
1744	LC.exe
1744	LC.exe
1744	LC.exe
1148	WerFault.exe
1148	WerFault.exe
1148	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Setup_00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Setup_00.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	1744	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1220 wrote to memory of 1284	1220	a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe	27
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1284 wrote to memory of 1744	1284	Setup_00.exe	28
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29
PID 1744 wrote to memory of 1148	1744	LC.exe	29

C:\Users\Admin\AppData\Local\Temp\a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe
"C:\Users\Admin\AppData\Local\Temp\a159fcaa6c739bdc98d8e5554c2c91addff2567af20505037d4a48fba584227e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 284
      4⤵
      Loads dropped DLL
      Program crash
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_00.exe

Filesize
129KB

MD5
0e1cbf0892a4ef5f31230942b7e74d6f

SHA1
2c611b6670e0e26caf331654576b78c6effbd245

SHA256
8feb15a2478d6344feec3d7dcbc68272fc8050ff0faace60c75d1447faba5ed3

SHA512
480c8d33fcaf7eaa0444ec45d13388c3d455c4f811741e657628a8b7057bc4eed2dc0451bf3864340b147f69da730f111d1089f98959d07ecdb1cd981be3e70c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
memory/1284-75-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1284-82-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1284-58-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1284-76-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1284-81-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/1744-78-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1744-79-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1744-80-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1744-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1744-83-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1744-84-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1744-85-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download