7b4055eb9d72b5e5cd10c846497cb538bc366f8993198b680d195c98987d74e6

General

Target

file.exe
Size

2.5MB
MD5

e714d0566d4f2645d5567067a688df72
SHA1

932ba86fa02efb8ea29dbcdccd6f563e507194e7
SHA256

7b4055eb9d72b5e5cd10c846497cb538bc366f8993198b680d195c98987d74e6
SHA512

f72b4a63512b4fbe3e28e8a1019e089d3b7fa8c2447365428269b9f654a441d2b9a3c9623fea83a70d4230f4203e96464e27ce549ac49a6a9c882fe9ecb7195e
SSDEEP

49152:qm+qTGrENf44aLip1tJDNENpVrc60dit9chZFxX/rphEfv:kENJIiplgVYPQ9wrbm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3324	fstoejyjng.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1380	3324	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3324	fstoejyjng.exe
3324	fstoejyjng.exe
3324	fstoejyjng.exe
3324	fstoejyjng.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2436	3164	file.exe	85
PID 3164 wrote to memory of 2436	3164	file.exe	85
PID 3164 wrote to memory of 2436	3164	file.exe	85
PID 2436 wrote to memory of 3324	2436	cmd.exe	87
PID 2436 wrote to memory of 3324	2436	cmd.exe	87
PID 2436 wrote to memory of 3324	2436	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /d /c bghgcqrx.bat 322519376
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fstoejyjng.exe
    fstoejyjng.exe lenicivispn.dat 322519376
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1280
      4⤵
      Program crash
      PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3324 -ip 3324
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bghgcqrx.bat

Filesize
138B

MD5
dc20256ecb1a7d108e96a99092bdd628

SHA1
d4cb2e02c5190ea13287f7dac6780c807f0b0eba

SHA256
5dd36d416a6c482c02cb05b3a2d935cff4b0df2ec4346f95ab43105b8cdcff8b

SHA512
c10f32efc0766dbc8c4669bef24a55bcd4c51b00efe685ef4d72da3a7bd394737c2d75d1f1b7b83cfec2bd876e3a9799066cbec5849d3cdf29e039fc5f3d2763

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eaqdwbass.dat

Filesize
1B

MD5
69691c7bdcc3ce6d5d8a1361f22d04ac

SHA1
c63ae6dd4fc9f9dda66970e827d13f7c73fe841c

SHA256
08f271887ce94707da822d5263bae19d5519cb3614e0daedc4c7ce5dab7473f1

SHA512
253405e03b91441a6dd354a9b72e040068b1bfe10e83eb1a64a086c05525d8ccae2bf09130c624af50d55c3522a4fbb7c18cfc8dd843e5f4801d9ad2b5164b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eaqdwbass.dat.1

Filesize
3B

MD5
158b365b9eedcfaf539f5dedfd82ee97

SHA1
529f5d61ac99f60a8e473368eff1b32095a3e2bf

SHA256
39561f8af034137905f14ca7fd5a2c891bc12982f3f8ef2271e75e93433ffa90

SHA512
a1b231c2e6af432ee7df82e00d568819e12149af707d4c4fdd018b38cc4f9761062c5b7e497bd1b67e466b89e391520b88bf13f18c8b9ff646d82df740c05c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eaqdwbass.dat.2

Filesize
33B

MD5
500ba63e2664798939744b8a8c9be982

SHA1
54743a77e4186cb327b803efb1ef5b3d4ac163ce

SHA256
4ebc21177ee9907f71a1641a0482603ced98e9d43389cac0ffb0b59f7343eeba

SHA512
9992b70de5867e2a00aff4f79c37ba71e827cbb104c192ebd4a553f91ae06a5b235f34e65d9d1145591c147e9e6726146cb92171945aa67b8f3294116a223fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eaqdwbass.dat.3

Filesize
5.2MB

MD5
a452946137958e0cee844310f9e9fa7c

SHA1
8cf21ae4d1d764154048a02fb49412ef94094485

SHA256
088a5d04f2f6d6820bf1a6a390d9c0e00f88896c932848f0c97912b861479bb9

SHA512
ef3759e134c9b0eaaf300a57d335131faa91337497f572ef7eb1058e498a071d1741a6e0947ca9e95fe92b1ca163814ce6d1d706ad5ab010d47d18038b26beaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fstoejyjng.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fstoejyjng.exe

Filesize
5.2MB

MD5
812d99a3d89b8de1b866ac960031e3df

SHA1
6817df1da376e8f6e68fd1ad06d78f02406b6e19

SHA256
9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

SHA512
85f72df2e679da3f337fc162ce3023d7d078c4433b49d3f4a16946fb0d2fdbadf5c736ff76e47bcdf920d5d90e05bf7f66ec9ca9fbe3f1d620cf33c046d857e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lenicivispn.dat

Filesize
946KB

MD5
6c509582cbb2f1c8a6cbaed7b84ae567

SHA1
ca0955fb4212398653a5d10e39d9cfc9328433a2

SHA256
bf84aaaac698a09a059eaa650f0d0755df5fb0262181961620faea82c39106a3

SHA512
0f29f0c5c12fcde2a640e8b91eff423e4aa9c7f34cb96c1f065cf80255be30ccf27b8d5196b94d8ca9e6be8aab33805b0b2f362093f02d3e891ba07347cfa138

Download Submit
memory/3324-157-0x000000000D800000-0x000000000D801000-memory.dmp

Filesize
4KB

Download
memory/3324-159-0x000000003EB00000-0x000000003EB01000-memory.dmp

Filesize
4KB

Download
memory/3324-156-0x000000000F300000-0x000000000F301000-memory.dmp

Filesize
4KB

Download
memory/3324-158-0x0000000024500000-0x0000000024501000-memory.dmp

Filesize
4KB

Download
memory/3324-160-0x0000000036700000-0x0000000036701000-memory.dmp

Filesize
4KB

Download
memory/3324-161-0x000000002E700000-0x000000002E701000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing