ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09

General

Target

ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe
Size

1.0MB
MD5

4a00ffa42e22decebc7e533f36a09197
SHA1

c63955d7d76df2101eb9f1930f268fe3fc636e44
SHA256

ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09
SHA512

9af38d0924ac8f78872e21e52938c4935e00f54f3933d03290c3aea3b73413ba5c542273594300839d8f78a99c1115e17e78cd6944c468949a0f257fc8b7d8f4
SSDEEP

24576:RyPPx9gnWW1tKOxV6qWdwwubQYWsRAWeTTZg:EuWWLb6qWdwHUYTRiF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4200	x7062086.exe
1936	x9902363.exe
3600	x9132304.exe
3592	g1255561.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9132304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7062086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9902363.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 2220	3592	g1255561.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2444	3592	WerFault.exe	73
1356	2220	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 4200	564	ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe	70
PID 564 wrote to memory of 4200	564	ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe	70
PID 564 wrote to memory of 4200	564	ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe	70
PID 4200 wrote to memory of 1936	4200	x7062086.exe	71
PID 4200 wrote to memory of 1936	4200	x7062086.exe	71
PID 4200 wrote to memory of 1936	4200	x7062086.exe	71
PID 1936 wrote to memory of 3600	1936	x9902363.exe	72
PID 1936 wrote to memory of 3600	1936	x9902363.exe	72
PID 1936 wrote to memory of 3600	1936	x9902363.exe	72
PID 3600 wrote to memory of 3592	3600	x9132304.exe	73
PID 3600 wrote to memory of 3592	3600	x9132304.exe	73
PID 3600 wrote to memory of 3592	3600	x9132304.exe	73
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75
PID 3592 wrote to memory of 2220	3592	g1255561.exe	75

C:\Users\Admin\AppData\Local\Temp\ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe
"C:\Users\Admin\AppData\Local\Temp\ee2d8f61e701ef0458c6663877685650fdc92055ebe3d557621ef208a508aa09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7062086.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7062086.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9902363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9902363.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9132304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9132304.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1255561.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1255561.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 568
        7⤵
        Program crash
        
        PID:1356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 144
        6⤵
        Program crash
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7062086.exe

Filesize
933KB

MD5
51a671ef44e00ec55126810affcd3c72

SHA1
d9cb23137cc03be7e4a4cc56c7511d07572868e3

SHA256
c7350d4f9bc28a94421217ea04970753168979167a4ca55e7bdaf369306c0828

SHA512
c0450cf747e8a2ca1757cbcc095556348625137165b28673361c64a5dfda6d3232bafbc1369cb06d5a9e17d80f972a203f8dacd9e270c9a58768fa9612dfcab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7062086.exe

Filesize
933KB

MD5
51a671ef44e00ec55126810affcd3c72

SHA1
d9cb23137cc03be7e4a4cc56c7511d07572868e3

SHA256
c7350d4f9bc28a94421217ea04970753168979167a4ca55e7bdaf369306c0828

SHA512
c0450cf747e8a2ca1757cbcc095556348625137165b28673361c64a5dfda6d3232bafbc1369cb06d5a9e17d80f972a203f8dacd9e270c9a58768fa9612dfcab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9902363.exe

Filesize
628KB

MD5
80ed4843f83131198150250d91815d9e

SHA1
25dde2d7c62eae9a0867bec1c46cac206cfa31e5

SHA256
93cecf000d959f110b6330bdf8864fa479e5f767aadc85fac1bdc6ed26db155c

SHA512
7267b6243ad92c910703feab3b363843709f490f7732411576130eef42a2cbebcc533be02896c081e89b2b24486d42ea8fa993d5cd100618052d86c8505f90fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9902363.exe

Filesize
628KB

MD5
80ed4843f83131198150250d91815d9e

SHA1
25dde2d7c62eae9a0867bec1c46cac206cfa31e5

SHA256
93cecf000d959f110b6330bdf8864fa479e5f767aadc85fac1bdc6ed26db155c

SHA512
7267b6243ad92c910703feab3b363843709f490f7732411576130eef42a2cbebcc533be02896c081e89b2b24486d42ea8fa993d5cd100618052d86c8505f90fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9132304.exe

Filesize
443KB

MD5
3812d9046b92405ed21ff8c36f3d92b1

SHA1
4ed9b2fabc0ef9857495e38c97bbb01dc2307dcb

SHA256
647cf190da849d24f2f7bdf0ca9b6ace22c9c1dca80fef959561da5a148ce505

SHA512
2a737006f65de847018b8020cebb2b78cb3e30451c84c0e2c6408a1529b32fc704f1968dd6e2f14eceedf380b7528aa476f057f16f20cc7eab94d5654a7f8de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9132304.exe

Filesize
443KB

MD5
3812d9046b92405ed21ff8c36f3d92b1

SHA1
4ed9b2fabc0ef9857495e38c97bbb01dc2307dcb

SHA256
647cf190da849d24f2f7bdf0ca9b6ace22c9c1dca80fef959561da5a148ce505

SHA512
2a737006f65de847018b8020cebb2b78cb3e30451c84c0e2c6408a1529b32fc704f1968dd6e2f14eceedf380b7528aa476f057f16f20cc7eab94d5654a7f8de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1255561.exe

Filesize
700KB

MD5
d4d2484c1fae07f3bd370ad5d971fb5c

SHA1
e7cda1d5a6b5c657209e2d88acd11e37443c11bb

SHA256
69d08aa5604d889e8026ba499faabc21bde5db53707d92a53679420e33982867

SHA512
9af0a5ccf3d4d8e7aa496c63a8af77072fe38e0ee7082ea1b4d6ad3c1ffb4337620031033b3d9cee73fa763c6c44207f7b6f6133f96c70fae9535b79b53167c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1255561.exe

Filesize
700KB

MD5
d4d2484c1fae07f3bd370ad5d971fb5c

SHA1
e7cda1d5a6b5c657209e2d88acd11e37443c11bb

SHA256
69d08aa5604d889e8026ba499faabc21bde5db53707d92a53679420e33982867

SHA512
9af0a5ccf3d4d8e7aa496c63a8af77072fe38e0ee7082ea1b4d6ad3c1ffb4337620031033b3d9cee73fa763c6c44207f7b6f6133f96c70fae9535b79b53167c1

Download Submit
memory/2220-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads