e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522

General

Target

e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe
Size

1.0MB
MD5

8ce4876761c6644ab84d9e915c5caaf2
SHA1

ca3ffe364b6908dfd37dbb1ae79c565e1a4845ae
SHA256

e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522
SHA512

76363e206f5734af7bd8ab673cea0e8ddecca3c13b9b13c2d5c1f9f59a62153bbf2121eeb3595a273ad91b4fbebcb4ed45010e83fe5946c9b4aa580040a88e9e
SSDEEP

24576:DyetMp/G/ckfiKkaDya0gHjAVdm1NbnQB:WeGp/G/cpXgHcV01h

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5048	x0549573.exe
4488	x6214724.exe
3108	x0906674.exe
2344	g3016417.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0906674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0549573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6214724.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 380	2344	g3016417.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4316	2344	WerFault.exe	73
2356	380	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 5048	4716	e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe	70
PID 4716 wrote to memory of 5048	4716	e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe	70
PID 4716 wrote to memory of 5048	4716	e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe	70
PID 5048 wrote to memory of 4488	5048	x0549573.exe	71
PID 5048 wrote to memory of 4488	5048	x0549573.exe	71
PID 5048 wrote to memory of 4488	5048	x0549573.exe	71
PID 4488 wrote to memory of 3108	4488	x6214724.exe	72
PID 4488 wrote to memory of 3108	4488	x6214724.exe	72
PID 4488 wrote to memory of 3108	4488	x6214724.exe	72
PID 3108 wrote to memory of 2344	3108	x0906674.exe	73
PID 3108 wrote to memory of 2344	3108	x0906674.exe	73
PID 3108 wrote to memory of 2344	3108	x0906674.exe	73
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75
PID 2344 wrote to memory of 380	2344	g3016417.exe	75

C:\Users\Admin\AppData\Local\Temp\e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe
"C:\Users\Admin\AppData\Local\Temp\e07379b697c509743a93526d33e7db480b4e76fa5ef7c6e5a6c93b35ffe49522.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0549573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0549573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6214724.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6214724.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0906674.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0906674.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3016417.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3016417.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 568
        7⤵
        Program crash
        
        PID:2356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 580
        6⤵
        Program crash
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0549573.exe

Filesize
933KB

MD5
d064209e6701e25fd49eac166f491fba

SHA1
454ab0ea9e02f86995abe7f2c98149b1ddca23e7

SHA256
a5a159bfa9bcb73d148091b1fec5b76e98cdc87493a36cfef0d901f3f5bb8618

SHA512
7a96c4bf6f00ac6ebe3d687bc826e4535cef2e5f89826931e6458b79b3b8d4663b9cb71e0cfe6359efc634037a0b7ab8e2d16675dc85c1eb30e3359f1ec2444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0549573.exe

Filesize
933KB

MD5
d064209e6701e25fd49eac166f491fba

SHA1
454ab0ea9e02f86995abe7f2c98149b1ddca23e7

SHA256
a5a159bfa9bcb73d148091b1fec5b76e98cdc87493a36cfef0d901f3f5bb8618

SHA512
7a96c4bf6f00ac6ebe3d687bc826e4535cef2e5f89826931e6458b79b3b8d4663b9cb71e0cfe6359efc634037a0b7ab8e2d16675dc85c1eb30e3359f1ec2444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6214724.exe

Filesize
628KB

MD5
6b634d195e59e90377093bd76ed2dfc1

SHA1
c1f3dad0c18c6f3a2eb01882011870fd599a83b6

SHA256
c6472271e123e52171e8059b28cd72f448b842a1e2fcfc45c4f44513db740695

SHA512
fe99fb0afb6df23f680c6b61e0e8816271a76ec9a601b4782d779494a3709eac43ebeac6c29a8667eafa93b901d8b26f870b003daa0a0797502c09f977c6a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6214724.exe

Filesize
628KB

MD5
6b634d195e59e90377093bd76ed2dfc1

SHA1
c1f3dad0c18c6f3a2eb01882011870fd599a83b6

SHA256
c6472271e123e52171e8059b28cd72f448b842a1e2fcfc45c4f44513db740695

SHA512
fe99fb0afb6df23f680c6b61e0e8816271a76ec9a601b4782d779494a3709eac43ebeac6c29a8667eafa93b901d8b26f870b003daa0a0797502c09f977c6a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0906674.exe

Filesize
443KB

MD5
da5845de543c96120fdfcc133510894f

SHA1
48ef28b50cbd397b3a1fddaf2674208f335c7ad0

SHA256
bdbecf776b4ab06ebfe88364167a686973cd8c6ba93d050c159373f49b610ffb

SHA512
55138da9140e7cca63fd8d2a588a04659d8aa78f5a680c14915ffb8e35af0251982477976359bbdb037f72ed5755a5b3c8bb94cabb42c76256c8464e8e738038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0906674.exe

Filesize
443KB

MD5
da5845de543c96120fdfcc133510894f

SHA1
48ef28b50cbd397b3a1fddaf2674208f335c7ad0

SHA256
bdbecf776b4ab06ebfe88364167a686973cd8c6ba93d050c159373f49b610ffb

SHA512
55138da9140e7cca63fd8d2a588a04659d8aa78f5a680c14915ffb8e35af0251982477976359bbdb037f72ed5755a5b3c8bb94cabb42c76256c8464e8e738038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3016417.exe

Filesize
700KB

MD5
4bb3d970176325f73c68f6b2edcef28e

SHA1
05dd6d591b0ebffb284c789d87bc90f250d75f9f

SHA256
a84593401a010749f3b40304e3f9599ad5587884105095007088a5a728e66ad5

SHA512
f765e8c024e19920466f5a98b1358a77da303cf5f83cd0e033d69bf99777ce26466359a09d19f7b1a84ec8d11e7e22f39a9fb01b979d113c400414e61343562d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3016417.exe

Filesize
700KB

MD5
4bb3d970176325f73c68f6b2edcef28e

SHA1
05dd6d591b0ebffb284c789d87bc90f250d75f9f

SHA256
a84593401a010749f3b40304e3f9599ad5587884105095007088a5a728e66ad5

SHA512
f765e8c024e19920466f5a98b1358a77da303cf5f83cd0e033d69bf99777ce26466359a09d19f7b1a84ec8d11e7e22f39a9fb01b979d113c400414e61343562d

Download Submit
memory/380-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads