f4b15f591e0138a46f1f5fd157f31a78b360624d72a18136a5269a05ba8b987c

General

Target

file.exe
Size

2.5MB
MD5

b8c98b14888f48405173bc0f44c1c98f
SHA1

88d9407dc689a02070693ed6f95251926ceee37d
SHA256

f4b15f591e0138a46f1f5fd157f31a78b360624d72a18136a5269a05ba8b987c
SHA512

a0a801eac10532a07d5af844db65079a06fa3c2e322260ec7407c5010f9e996aa14886e124a860d94371d2c399d7ffaba916efe1d53fa50c97f5f8023d7ea9f6
SSDEEP

49152:PIVMAWRywiN7AqzGKWPy3tsdWT69leSkFAaGjv616z1dUbtmFjpb3JFjGgcBL:AKo5czXmidWn1FOz6c1uQF195GLL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	fgkhkbclt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4120	1448	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1448	fgkhkbclt.exe
1448	fgkhkbclt.exe
1448	fgkhkbclt.exe
1448	fgkhkbclt.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 3132	1808	file.exe	84
PID 1808 wrote to memory of 3132	1808	file.exe	84
PID 1808 wrote to memory of 3132	1808	file.exe	84
PID 3132 wrote to memory of 1448	3132	cmd.exe	86
PID 3132 wrote to memory of 1448	3132	cmd.exe	86
PID 3132 wrote to memory of 1448	3132	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /d /c bkaetiwdh.bat 852439418
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgkhkbclt.exe
    fgkhkbclt.exe ldvbkwg.dat 852439418
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1280
      4⤵
      Program crash
      PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1448 -ip 1448
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bkaetiwdh.bat

Filesize
132B

MD5
a2923394ff80ed78dce6c6f65effb6c9

SHA1
dab4961e4fda699798742c8895b562a4cc151997

SHA256
cb693212c5263e428eecb1f85dcbde2a839f6b19249081eb1e5770236033692f

SHA512
27223b109e5b23cab22eff452d527dbf2ade5c1d73e33c93f04b6293bee8f7f2c1fa0a298f4af3f0dad6d6866ab39a99fb860b26c0cb13d002cd994d8794e426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\emruehror.dat

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\emruehror.dat.1

Filesize
3B

MD5
158b365b9eedcfaf539f5dedfd82ee97

SHA1
529f5d61ac99f60a8e473368eff1b32095a3e2bf

SHA256
39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90

SHA512
a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\emruehror.dat.2

Filesize
33B

MD5
500ba63e2664798939744b8a8c9be982

SHA1
54743a77e4186cb327b803efb1ef5b3d4ac163ce

SHA256
4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba

SHA512
9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\emruehror.dat.3

Filesize
5.2MB

MD5
a452946137958e0cee844310f9e9fa7c

SHA1
8cf21ae4d1d764154048a02fb49412ef94094485

SHA256
088a5d04f2f6d6820bf1a6a390d9c0e00f88896c932848f0c97912b861479bb9

SHA512
ef3759e134c9b0eaaf300a57d335131faa91337497f572ef7eb1058e498a071d1741a6e0947ca9e95fe92b1ca163814ce6d1d706ad5ab010d47d18038b26beaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgkhkbclt.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fgkhkbclt.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ldvbkwg.dat

Filesize
926KB

MD5
eed6b04cc49440fba5a64937b0368ce4

SHA1
62642d22c9a47220a10e73534bc819749bd67ab9

SHA256
f6d78f0a4c780374255776f80be6baf1191e706e52393fe9384e3be14ba27332

SHA512
2b0b612fb4e9177ea2e930528ae461eb98058062780ee6d91ee4d93dc4a7df0c93bc6ec61f1cab059a2695851b370d568ba09440a8eeff2d70ebfb2298d6c26e

Download Submit
memory/1448-156-0x000000000F100000-0x000000000F101000-memory.dmp

Filesize
4KB

Download
memory/1448-157-0x000000001E800000-0x000000001E801000-memory.dmp

Filesize
4KB

Download
memory/1448-158-0x0000000027F00000-0x0000000027F01000-memory.dmp

Filesize
4KB

Download
memory/1448-159-0x0000000037900000-0x0000000037901000-memory.dmp

Filesize
4KB

Download
memory/1448-160-0x0000000036A00000-0x0000000036A01000-memory.dmp

Filesize
4KB

Download
memory/1448-161-0x000000003D300000-0x000000003D301000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing