Analysis
-
max time kernel
63s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
21-09-2023 20:16
Static task
static1
Behavioral task
behavioral1
Sample
3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe
Resource
win10-20230915-en
General
-
Target
3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe
-
Size
1.0MB
-
MD5
d14e43543323b4bac9c4cfc4e3bd93b9
-
SHA1
c6172e93dbbcf5270f533cfab8a91228c9ff6454
-
SHA256
3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a
-
SHA512
f9267f02dcd90ce8c83cda1632b7d10f11d30782f054a46b821d5603dcedd877444d7897728e7e4bb9f44d80ac00c5eee5c121fa71e71ea2c56eb43572444074
-
SSDEEP
12288:2Mrby90sLNYUiW/+fsZpO0XgoGHF/Li8VfzHYKCCZSM5Lq0Vs7XqEd3DI59sBjB9:Fy80XO0QLbZSM52067le+Bp762Tue/
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 5004 x7404597.exe 4924 x9090355.exe 4832 x8771871.exe 828 g3668336.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7404597.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x9090355.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x8771871.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 828 set thread context of 4248 828 g3668336.exe 76 -
Program crash 2 IoCs
pid pid_target Process procid_target 1124 828 WerFault.exe 72 4524 4248 WerFault.exe 76 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2792 wrote to memory of 5004 2792 3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe 69 PID 2792 wrote to memory of 5004 2792 3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe 69 PID 2792 wrote to memory of 5004 2792 3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe 69 PID 5004 wrote to memory of 4924 5004 x7404597.exe 70 PID 5004 wrote to memory of 4924 5004 x7404597.exe 70 PID 5004 wrote to memory of 4924 5004 x7404597.exe 70 PID 4924 wrote to memory of 4832 4924 x9090355.exe 71 PID 4924 wrote to memory of 4832 4924 x9090355.exe 71 PID 4924 wrote to memory of 4832 4924 x9090355.exe 71 PID 4832 wrote to memory of 828 4832 x8771871.exe 72 PID 4832 wrote to memory of 828 4832 x8771871.exe 72 PID 4832 wrote to memory of 828 4832 x8771871.exe 72 PID 828 wrote to memory of 4884 828 g3668336.exe 74 PID 828 wrote to memory of 4884 828 g3668336.exe 74 PID 828 wrote to memory of 4884 828 g3668336.exe 74 PID 828 wrote to memory of 3928 828 g3668336.exe 75 PID 828 wrote to memory of 3928 828 g3668336.exe 75 PID 828 wrote to memory of 3928 828 g3668336.exe 75 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76 PID 828 wrote to memory of 4248 828 g3668336.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe"C:\Users\Admin\AppData\Local\Temp\3f105c082ad372002b2937f23136a2b748599c170a77bea31ad0f59709c53c4a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7404597.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7404597.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9090355.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9090355.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8771871.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8771871.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3668336.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3668336.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1967⤵
- Program crash
PID:4524
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 5766⤵
- Program crash
PID:1124
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
931KB
MD58b0e6821fc4081bad161fd105a6e0c5f
SHA12679b57e147bd6ca6e22c6954882120d38edfa49
SHA256c785ebc0525dce430f299c60d0de362f5fd3a63cf179089c4559861737d8adc8
SHA5125131e82e4c285cdc9843de5ec818a30c2fbb0c863d457d312921cdbfea0e6505e6c675d0f45bf682cf43fd31056cf8b1967158f7a8618eb18e7444b1122f4246
-
Filesize
931KB
MD58b0e6821fc4081bad161fd105a6e0c5f
SHA12679b57e147bd6ca6e22c6954882120d38edfa49
SHA256c785ebc0525dce430f299c60d0de362f5fd3a63cf179089c4559861737d8adc8
SHA5125131e82e4c285cdc9843de5ec818a30c2fbb0c863d457d312921cdbfea0e6505e6c675d0f45bf682cf43fd31056cf8b1967158f7a8618eb18e7444b1122f4246
-
Filesize
628KB
MD5b4a702ea7d2c28aec14e7582f6ccf980
SHA1a9c7ca2851e0bcbd0e106b9aa48cfc0e66a53deb
SHA25669b1fd95b59aee92fc447268f2b661a60d8b5d76978bd22ce62e2593aba273c7
SHA512c516808044857e32b404711beae6110d8fe9a0b05a9d27e95791ef0db68af0bb62791df6dda4b32a5f4332471c9e692fb43a092e22c3493aee0163cbeecda487
-
Filesize
628KB
MD5b4a702ea7d2c28aec14e7582f6ccf980
SHA1a9c7ca2851e0bcbd0e106b9aa48cfc0e66a53deb
SHA25669b1fd95b59aee92fc447268f2b661a60d8b5d76978bd22ce62e2593aba273c7
SHA512c516808044857e32b404711beae6110d8fe9a0b05a9d27e95791ef0db68af0bb62791df6dda4b32a5f4332471c9e692fb43a092e22c3493aee0163cbeecda487
-
Filesize
443KB
MD5971c06ece4c33212d51ed4b65b6193f9
SHA104d8ab8406488e41e769edbf053a88de6446370a
SHA25649c428832532f8f99d18fab88fffc32cc4a01a7c015e72930dc9d4601b676590
SHA512bf6b7cd5bcb7acf6434725143b8956fa94ae46c335b052e3e025cd1d58079bb885da94f3d4e836d2372d1e6ff63fa7d278b2fb22517c48704701a71b18922f0a
-
Filesize
443KB
MD5971c06ece4c33212d51ed4b65b6193f9
SHA104d8ab8406488e41e769edbf053a88de6446370a
SHA25649c428832532f8f99d18fab88fffc32cc4a01a7c015e72930dc9d4601b676590
SHA512bf6b7cd5bcb7acf6434725143b8956fa94ae46c335b052e3e025cd1d58079bb885da94f3d4e836d2372d1e6ff63fa7d278b2fb22517c48704701a71b18922f0a
-
Filesize
700KB
MD572567f44360557cb50a5e66ecd6eb103
SHA12e62b2a38b8a2074b2b3accf807cf0204625984f
SHA256c68c76ac7309ff10b4bfe6e3a687ee8c54d22a455ab240838427ecee0f1da5c4
SHA512d71af6953bbd0cf5265eca99373a95f86495306b56d86ceab0858048e129b6eed39760615def76240bc2094d799cc8af0299ff0b12c285e7679f8ea2893cb2ca
-
Filesize
700KB
MD572567f44360557cb50a5e66ecd6eb103
SHA12e62b2a38b8a2074b2b3accf807cf0204625984f
SHA256c68c76ac7309ff10b4bfe6e3a687ee8c54d22a455ab240838427ecee0f1da5c4
SHA512d71af6953bbd0cf5265eca99373a95f86495306b56d86ceab0858048e129b6eed39760615def76240bc2094d799cc8af0299ff0b12c285e7679f8ea2893cb2ca