bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4

General

Target

bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
Size

350KB
MD5

e6786ce38b952ae797e4045489c27d77
SHA1

e4503a1468c5ded7d54e079610b2f73a3123dbdb
SHA256

bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4
SHA512

c18d50e16b7d44fc40a04c737c3473aacf318d64ad6ccadc63f91f5855595c4814de4e08d7f0b63a0f6d7d80635b2ec746cd919dd031e038443cac46c421ca4e
SSDEEP

6144:c/0uoJvfHhR/AAxVCvoSrCo44i8hrrZCWRqah1A9mmCQKeYDijk:cJWnBRlxVErCoKKXAZahe9m4EL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	3.exe

Loads dropped DLL 6 IoCs

pid	Process
880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
1948	3.exe
960	WerFault.exe
960	WerFault.exe
960	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
960	1948	WerFault.exe	27

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 880 wrote to memory of 1948	880	bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe	27
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28
PID 1948 wrote to memory of 960	1948	3.exe	28

C:\Users\Admin\AppData\Local\Temp\bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe
"C:\Users\Admin\AppData\Local\Temp\bb6ad7f1f3c03d2c9fcbac18a286b2fc7c0120c00b8c71aad6662577467e3cf4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 268
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
293KB

MD5
ba727e0f3ce6e53d5066f4d587a36187

SHA1
ab58804effafdc637192895416164db08ceeb7a2

SHA256
cff91aabdb846efc83f65705792331b724092dbbdfe9acf12a5ec74f2f76536f

SHA512
dd81a88162167b3f6de655d2ea1097cba3e4a9b7cbf4d5cdf6415e9859a51f00d633a227dcb46efcae6c66b5b30769111ae5c246a3a1db02028d3e968f350c54

Download Submit
memory/880-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing