ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
Size

968KB
MD5

e914a42b1b90cbaaaad423982da21952
SHA1

3970f102609d2de476ec3a9196099db9d213180d
SHA256

ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544
SHA512

793405bdf8de894cb2520f743275e4eb893e99c149171af86035ccb8795604873c57470ef3ff61e5b42a9b2addae1bb688cbb003b82edd7d4e2531c652fd6574
SSDEEP

12288:EMP+aXfwK5KVCfj8HUD3xwheh9K6EFOMmimslOvTwnJlu3bohu8bxw0YZ:z+I5uCb80bxwshD6Y9Inrurok8FW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3252	server2.exe
2620	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	server2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\server2.exe	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5004	2620	WerFault.exe	84

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3912	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
3912	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 3252	3912	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	83
PID 3912 wrote to memory of 3252	3912	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	83
PID 3912 wrote to memory of 3252	3912	ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe	83
PID 3252 wrote to memory of 2620	3252	server2.exe	84
PID 3252 wrote to memory of 2620	3252	server2.exe	84
PID 3252 wrote to memory of 2620	3252	server2.exe	84

C:\Users\Admin\AppData\Local\Temp\ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe
"C:\Users\Admin\AppData\Local\Temp\ca91a7712a50d503930f4c883c58e7658cf9161e6908766cbf97c6d718931544.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\SysWOW64\server2.exe
  C:\Windows\system32\/server2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 520
      4⤵
      Program crash
      PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2620 -ip 2620
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Server.exe

Filesize
793KB

MD5
fc24eb710a685f7fee1397b773f23c3e

SHA1
45dff089cbe67cb495eab16f24fcc241aedc4e87

SHA256
1bbb792654b48206e68194afd1129dfe44f3593f33eedfa4d5d07c1208b84989

SHA512
2afab9be1cbba731695c896f6df09c6ac40e1894691d2203a79d9cd2955076a62965ea34a31f39f45408b3225850b199af6ba8e86d1500176506fe804c1a0080

Download Submit
C:\Windows\SysWOW64\server2.exe

Filesize
392KB

MD5
f9a7a5421b233c25905c2ad97e9a1fac

SHA1
2acecb13387e7b0bfd489c1738c3d903cfc0ac39

SHA256
91e11135315c6107c57849be19f4566b002628d70b29696c948c87d7500acf19

SHA512
3995a67c7411d97da8d72018de9e5e8af1e02c6401ee5c82b7886726c0485c611398b1edd6fcffb743a67981a3d4540b7432929464bea336f005db5638dc5f66

Download Submit
C:\Windows\SysWOW64\server2.exe

Filesize
392KB

MD5
f9a7a5421b233c25905c2ad97e9a1fac

SHA1
2acecb13387e7b0bfd489c1738c3d903cfc0ac39

SHA256
91e11135315c6107c57849be19f4566b002628d70b29696c948c87d7500acf19

SHA512
3995a67c7411d97da8d72018de9e5e8af1e02c6401ee5c82b7886726c0485c611398b1edd6fcffb743a67981a3d4540b7432929464bea336f005db5638dc5f66

Download Submit
memory/2620-139-0x0000000000400000-0x00000000004CE200-memory.dmp

Filesize
824KB

Download
memory/3252-138-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download
memory/3252-140-0x0000000001000000-0x00000000010C5000-memory.dmp

Filesize
788KB

Download