09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043

General

Target

09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe
Size

1.0MB
MD5

bd164af3628b5cfc8bf4e0370faf8b3b
SHA1

3a4e2443a2757d8cc26d489b67246f3983f94d91
SHA256

09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043
SHA512

49a46b82f571e5225b18489e88b3c578babbaccc4df2f23d909a9d1c2426981d0330bed5ada55cf4c6734fbb51d945c0a02779726eb4f13225fea5e10ea5f72a
SSDEEP

24576:myGWMe/F2DWqiUSregemCNBrTbJHEwt0WDq6OYI8WGfM94:15FZq+2NBrTbNbv+X3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4688	x5037735.exe
4652	x7122334.exe
4392	x1238954.exe
1412	g2201514.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5037735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7122334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1238954.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1412 set thread context of 60	1412	g2201514.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5020	1412	WerFault.exe	73
2572	60	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 4688	2284	09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe	70
PID 2284 wrote to memory of 4688	2284	09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe	70
PID 2284 wrote to memory of 4688	2284	09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe	70
PID 4688 wrote to memory of 4652	4688	x5037735.exe	71
PID 4688 wrote to memory of 4652	4688	x5037735.exe	71
PID 4688 wrote to memory of 4652	4688	x5037735.exe	71
PID 4652 wrote to memory of 4392	4652	x7122334.exe	72
PID 4652 wrote to memory of 4392	4652	x7122334.exe	72
PID 4652 wrote to memory of 4392	4652	x7122334.exe	72
PID 4392 wrote to memory of 1412	4392	x1238954.exe	73
PID 4392 wrote to memory of 1412	4392	x1238954.exe	73
PID 4392 wrote to memory of 1412	4392	x1238954.exe	73
PID 1412 wrote to memory of 4608	1412	g2201514.exe	75
PID 1412 wrote to memory of 4608	1412	g2201514.exe	75
PID 1412 wrote to memory of 4608	1412	g2201514.exe	75
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76
PID 1412 wrote to memory of 60	1412	g2201514.exe	76

C:\Users\Admin\AppData\Local\Temp\09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe
"C:\Users\Admin\AppData\Local\Temp\09261b448e513b6f82dca6057f9b68e1d636abca2cc7b2ab653ce5f6ade42043.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5037735.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5037735.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7122334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7122334.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1238954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1238954.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2201514.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2201514.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4608
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 568
        7⤵
        Program crash
        
        PID:2572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 140
        6⤵
        Program crash
        
        PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5037735.exe

Filesize
932KB

MD5
a4e1e68cbcd4ccb17b2196124362ce4a

SHA1
6c6a94653fb125c3e3f8bf59252b673bcc82d0e1

SHA256
ec66ed4044c6d67dc9f18c2d719937649232dd73308156626429ad5b1f604ba8

SHA512
69faf338eb94aa2f01e5dfc7322ad193523fc9c6703e4085fedc9a0151cbf8567f9b2be0fc81181acb4a9a90e456bfdc5033dd64b5ccbbd24e8bea8201019476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5037735.exe

Filesize
932KB

MD5
a4e1e68cbcd4ccb17b2196124362ce4a

SHA1
6c6a94653fb125c3e3f8bf59252b673bcc82d0e1

SHA256
ec66ed4044c6d67dc9f18c2d719937649232dd73308156626429ad5b1f604ba8

SHA512
69faf338eb94aa2f01e5dfc7322ad193523fc9c6703e4085fedc9a0151cbf8567f9b2be0fc81181acb4a9a90e456bfdc5033dd64b5ccbbd24e8bea8201019476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7122334.exe

Filesize
628KB

MD5
7f9766db8eeecce172d2b5acd42d555f

SHA1
9e20761ed5bae1b26504269402b5e5cd23cab09c

SHA256
7018712e4419b385c784333b5eea63c09a60f9ef174d26c04e7df9f39d09e02b

SHA512
24a20fcd5e852dae6cdb71ef954e532d40b5901457de8f9d0063103a21cea1c2147976be87f6ebfe0416047e4ca7390d9d6eb5c2eb566442badaeabf53572c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7122334.exe

Filesize
628KB

MD5
7f9766db8eeecce172d2b5acd42d555f

SHA1
9e20761ed5bae1b26504269402b5e5cd23cab09c

SHA256
7018712e4419b385c784333b5eea63c09a60f9ef174d26c04e7df9f39d09e02b

SHA512
24a20fcd5e852dae6cdb71ef954e532d40b5901457de8f9d0063103a21cea1c2147976be87f6ebfe0416047e4ca7390d9d6eb5c2eb566442badaeabf53572c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1238954.exe

Filesize
443KB

MD5
c8af7af0dc5669d8dd92f6948855da3b

SHA1
4407177fc2a929f92a848838114535841b2520bf

SHA256
a12152ff4b04e403e51e94d3059f5d06c91a7bf76b855686ef8483fec3e887c8

SHA512
a34141628738a2dd43611302d87d26190ddcfba180f4c2b73cf8a953f9c27d5398287848b37d48497c30ecb836e476f3b5f0b8b1c9c4fe74d3c53437da5f6062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1238954.exe

Filesize
443KB

MD5
c8af7af0dc5669d8dd92f6948855da3b

SHA1
4407177fc2a929f92a848838114535841b2520bf

SHA256
a12152ff4b04e403e51e94d3059f5d06c91a7bf76b855686ef8483fec3e887c8

SHA512
a34141628738a2dd43611302d87d26190ddcfba180f4c2b73cf8a953f9c27d5398287848b37d48497c30ecb836e476f3b5f0b8b1c9c4fe74d3c53437da5f6062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2201514.exe

Filesize
700KB

MD5
b39bfcc2df920d5c76e038c559d43ed0

SHA1
56e9d25b376c39f01a4f2e7ab877d7acdebedf02

SHA256
cbcc67bed15b608b68cf0d78c5ea4e372cd00818f43b0adccda8defe784c21cd

SHA512
ff939789b8b31f80f9a3dc51d5a13585aaa0d787e1ba3726580d9ddc38eb5e5eef22ed54e661afbb4572add42bd6f298dcc8c0b4d3b732479be1e94c985075ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2201514.exe

Filesize
700KB

MD5
b39bfcc2df920d5c76e038c559d43ed0

SHA1
56e9d25b376c39f01a4f2e7ab877d7acdebedf02

SHA256
cbcc67bed15b608b68cf0d78c5ea4e372cd00818f43b0adccda8defe784c21cd

SHA512
ff939789b8b31f80f9a3dc51d5a13585aaa0d787e1ba3726580d9ddc38eb5e5eef22ed54e661afbb4572add42bd6f298dcc8c0b4d3b732479be1e94c985075ac

Download Submit
memory/60-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads