fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0

General

Target

fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe
Size

937KB
MD5

48681961e1d34361d49703ad077b1106
SHA1

393f3e1097d1a20a7419b589254e9f7661146200
SHA256

fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0
SHA512

cc5cd42e3d4a342bd48a304e6fdf73e02ad667b4f9dbcc8a6d577682049baebc27f95c03c8306995f0d40a1bd7636f26f44b8981ca2226f7082c9a035c5f8b96
SSDEEP

24576:9yhwuCtwTST+R1yKxPcMqYu4KiZJWRF/:YhwDtGST+RkMmzf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3420	x5928415.exe
2752	x9920891.exe
1936	x4636611.exe
4900	g2548296.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5928415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9920891.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4636611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 1976	4900	g2548296.exe	74

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4452	4900	WerFault.exe	73
2220	1976	WerFault.exe	74

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 3420	4780	fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe	70
PID 4780 wrote to memory of 3420	4780	fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe	70
PID 4780 wrote to memory of 3420	4780	fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe	70
PID 3420 wrote to memory of 2752	3420	x5928415.exe	71
PID 3420 wrote to memory of 2752	3420	x5928415.exe	71
PID 3420 wrote to memory of 2752	3420	x5928415.exe	71
PID 2752 wrote to memory of 1936	2752	x9920891.exe	72
PID 2752 wrote to memory of 1936	2752	x9920891.exe	72
PID 2752 wrote to memory of 1936	2752	x9920891.exe	72
PID 1936 wrote to memory of 4900	1936	x4636611.exe	73
PID 1936 wrote to memory of 4900	1936	x4636611.exe	73
PID 1936 wrote to memory of 4900	1936	x4636611.exe	73
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74
PID 4900 wrote to memory of 1976	4900	g2548296.exe	74

C:\Users\Admin\AppData\Local\Temp\fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe
"C:\Users\Admin\AppData\Local\Temp\fba5c923bc7a6f516d3f307aaf31835487d088b028ef49db4b41364cb1025eb0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5928415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5928415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9920891.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9920891.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4636611.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4636611.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2548296.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2548296.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 568
        7⤵
        Program crash
        
        PID:2220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 584
        6⤵
        Program crash
        
        PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5928415.exe

Filesize
835KB

MD5
bcb12ca14374155dd50e02594a060170

SHA1
1783a3970093b1865a173816d5b8de3cba2ed784

SHA256
5942353d8bea4cd2bcec06cc3d56df285b1bb1a723b765ce6ccaee55cf964d84

SHA512
136a987173db25682de05493ba2364a801f36952eb55781a7238368fac09bb7de5306d8f65c774f168c90f9cc4681a17fc4868b332a5893a7f190c3f68465264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5928415.exe

Filesize
835KB

MD5
bcb12ca14374155dd50e02594a060170

SHA1
1783a3970093b1865a173816d5b8de3cba2ed784

SHA256
5942353d8bea4cd2bcec06cc3d56df285b1bb1a723b765ce6ccaee55cf964d84

SHA512
136a987173db25682de05493ba2364a801f36952eb55781a7238368fac09bb7de5306d8f65c774f168c90f9cc4681a17fc4868b332a5893a7f190c3f68465264

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9920891.exe

Filesize
571KB

MD5
e23856fb54008e6240dc4d0b8f1edc3b

SHA1
dc8f7377e380ec8dc143f6402cf6e23f00418942

SHA256
9d92386a14b2550d1e11aa56f8ea35f8ca564353a7eebc5f483944a0384ee9ee

SHA512
6b720e9d1447dda7087d7d2880b64cc42e9e503b273ced4015fbc7c2a3cf9103095d77de3f6bef01b9bbc8d648f75abaa5daaab594e131e6f3636edfc178c8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9920891.exe

Filesize
571KB

MD5
e23856fb54008e6240dc4d0b8f1edc3b

SHA1
dc8f7377e380ec8dc143f6402cf6e23f00418942

SHA256
9d92386a14b2550d1e11aa56f8ea35f8ca564353a7eebc5f483944a0384ee9ee

SHA512
6b720e9d1447dda7087d7d2880b64cc42e9e503b273ced4015fbc7c2a3cf9103095d77de3f6bef01b9bbc8d648f75abaa5daaab594e131e6f3636edfc178c8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4636611.exe

Filesize
394KB

MD5
0a080b6659006e8a22fc41ca17245a6b

SHA1
354366b0060479fc3046a4ce241b6e5c6e2f324d

SHA256
9865be4c60ffca98bce31f64572a67bddf88ebcc8eddb676d4d778776c72a6ae

SHA512
9358460802caf96009fa9d54ee9769c2e5ab17f87ac3753ed6d02d07b76dbf082a8f6bb6153eac13b8286e99e8446e262352ed4ae6ca99347091c67838451e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4636611.exe

Filesize
394KB

MD5
0a080b6659006e8a22fc41ca17245a6b

SHA1
354366b0060479fc3046a4ce241b6e5c6e2f324d

SHA256
9865be4c60ffca98bce31f64572a67bddf88ebcc8eddb676d4d778776c72a6ae

SHA512
9358460802caf96009fa9d54ee9769c2e5ab17f87ac3753ed6d02d07b76dbf082a8f6bb6153eac13b8286e99e8446e262352ed4ae6ca99347091c67838451e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2548296.exe

Filesize
365KB

MD5
d9b9df3ff52c4b686a471ce960f164aa

SHA1
890f550a82b83711631bbcd50bdac28605e82719

SHA256
8c52ee07ce7e863a179deb711785de58cb1e93ac78a0a095be478545e013d67e

SHA512
b22cebe258aed4c4bfe919b45ccdfcb558f8f8b99e2484555d41b649edad8589367aea3e47ddd959c77eb30a17bdad95ff221fcdd78919e8267999d951904b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2548296.exe

Filesize
365KB

MD5
d9b9df3ff52c4b686a471ce960f164aa

SHA1
890f550a82b83711631bbcd50bdac28605e82719

SHA256
8c52ee07ce7e863a179deb711785de58cb1e93ac78a0a095be478545e013d67e

SHA512
b22cebe258aed4c4bfe919b45ccdfcb558f8f8b99e2484555d41b649edad8589367aea3e47ddd959c77eb30a17bdad95ff221fcdd78919e8267999d951904b5c

Download Submit
memory/1976-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1976-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1976-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1976-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads