e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
22-09-2023 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe
Size

1.0MB
MD5

e495bf0771db961d7962131ffcb0d2e6
SHA1

dc5b9dccfb42b798d944f0d799358347d7ac9ccd
SHA256

e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f
SHA512

3e6b859b5767df448ec5fff69beabaf17513d9301a97bef1c34fb43fbbb0af4e0b95cf937521f9e68f927740f51b6cf56e7ad482aca61621d55708bbab578289
SSDEEP

24576:Yy2ax8ni/CxUOsUdRmzP3VI7WRwijEkMEvQxPDLs:f2aGPxrcz9vaJk/E

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5108	x9751679.exe
2148	x6771750.exe
4356	x4803220.exe
4504	g1271964.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9751679.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6771750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4803220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4504 set thread context of 880	4504	g1271964.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
520	4504	WerFault.exe	73
1820	880	WerFault.exe	77

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 5108	3868	e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe	70
PID 3868 wrote to memory of 5108	3868	e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe	70
PID 3868 wrote to memory of 5108	3868	e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe	70
PID 5108 wrote to memory of 2148	5108	x9751679.exe	71
PID 5108 wrote to memory of 2148	5108	x9751679.exe	71
PID 5108 wrote to memory of 2148	5108	x9751679.exe	71
PID 2148 wrote to memory of 4356	2148	x6771750.exe	72
PID 2148 wrote to memory of 4356	2148	x6771750.exe	72
PID 2148 wrote to memory of 4356	2148	x6771750.exe	72
PID 4356 wrote to memory of 4504	4356	x4803220.exe	73
PID 4356 wrote to memory of 4504	4356	x4803220.exe	73
PID 4356 wrote to memory of 4504	4356	x4803220.exe	73
PID 4504 wrote to memory of 1216	4504	g1271964.exe	75
PID 4504 wrote to memory of 1216	4504	g1271964.exe	75
PID 4504 wrote to memory of 1216	4504	g1271964.exe	75
PID 4504 wrote to memory of 3356	4504	g1271964.exe	76
PID 4504 wrote to memory of 3356	4504	g1271964.exe	76
PID 4504 wrote to memory of 3356	4504	g1271964.exe	76
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77
PID 4504 wrote to memory of 880	4504	g1271964.exe	77

C:\Users\Admin\AppData\Local\Temp\e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe
"C:\Users\Admin\AppData\Local\Temp\e97fd6d2262422172d4d04a79ed3e1a541c9b197e703967fdb545814194d249f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9751679.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9751679.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6771750.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6771750.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4803220.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4803220.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1271964.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1271964.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 568
        7⤵
        Program crash
        
        PID:1820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 596
        6⤵
        Program crash
        
        PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9751679.exe

Filesize
932KB

MD5
a9f43cdbdd768dd771954f1cd7fe23ea

SHA1
c97313cdda9890b47a2027f278ad29a8ac859f42

SHA256
559f319876a4423e4c0a3f245591701a6f2f5d400211421cdfb939278b851877

SHA512
574f4b3407edf2c90ce90eb5091de3f3dc8632bc1f524ffc528a2dae40256ffa69eb42a0ba531866f2d3f3abe7a4fca89510d5bf69cdecc02d6a4ed7716b11ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9751679.exe

Filesize
932KB

MD5
a9f43cdbdd768dd771954f1cd7fe23ea

SHA1
c97313cdda9890b47a2027f278ad29a8ac859f42

SHA256
559f319876a4423e4c0a3f245591701a6f2f5d400211421cdfb939278b851877

SHA512
574f4b3407edf2c90ce90eb5091de3f3dc8632bc1f524ffc528a2dae40256ffa69eb42a0ba531866f2d3f3abe7a4fca89510d5bf69cdecc02d6a4ed7716b11ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6771750.exe

Filesize
629KB

MD5
263c70286d2e0812cddb5e62cc00e2b9

SHA1
e8f184753b935ae2950e93c874635fc67ae45262

SHA256
c159d86dddb4448fd42bd206988c075289fec0239d79187677fbc5167ef9d496

SHA512
7d5b31d3d5678866cc003e1ace6889d86b96983fc8cd8407d7081345088ca72a9a5a15403809a1800c7026034bd30061e001895d2699421f069f1b89fbde1855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6771750.exe

Filesize
629KB

MD5
263c70286d2e0812cddb5e62cc00e2b9

SHA1
e8f184753b935ae2950e93c874635fc67ae45262

SHA256
c159d86dddb4448fd42bd206988c075289fec0239d79187677fbc5167ef9d496

SHA512
7d5b31d3d5678866cc003e1ace6889d86b96983fc8cd8407d7081345088ca72a9a5a15403809a1800c7026034bd30061e001895d2699421f069f1b89fbde1855

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4803220.exe

Filesize
443KB

MD5
2d05715003b65cd7017ae2e221f9046c

SHA1
7ca2e6e116e3932f70daf0ebc30f893cc070ba82

SHA256
45fd61ef5b27efd504eb86af29fadd2ec48a2482d50db947ebbbc3b78fb33854

SHA512
05c09e19a2407238240d94264e84d2fa4440d93f97ca16fe154322f6f988d69db9f29534cc970407471ce6a2d94f266c976003dc6e20d6197ba96d78642f5545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4803220.exe

Filesize
443KB

MD5
2d05715003b65cd7017ae2e221f9046c

SHA1
7ca2e6e116e3932f70daf0ebc30f893cc070ba82

SHA256
45fd61ef5b27efd504eb86af29fadd2ec48a2482d50db947ebbbc3b78fb33854

SHA512
05c09e19a2407238240d94264e84d2fa4440d93f97ca16fe154322f6f988d69db9f29534cc970407471ce6a2d94f266c976003dc6e20d6197ba96d78642f5545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1271964.exe

Filesize
700KB

MD5
76b586f51e0feed543123e0b2f29d798

SHA1
dc6bb23a867ed728837281212b74df9c2c74dd8f

SHA256
4552298edc25260e4b40606070625f978e4648d09d0433e3cc5851a77c2b0a16

SHA512
35746194afbdd14e3a9038d55ca21dc66497434131ab263721d78dbfe983b78aecf1ad9abb7aae2ab0d4d64f5212abdf2ccf3bca38457284af145f01ff359c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1271964.exe

Filesize
700KB

MD5
76b586f51e0feed543123e0b2f29d798

SHA1
dc6bb23a867ed728837281212b74df9c2c74dd8f

SHA256
4552298edc25260e4b40606070625f978e4648d09d0433e3cc5851a77c2b0a16

SHA512
35746194afbdd14e3a9038d55ca21dc66497434131ab263721d78dbfe983b78aecf1ad9abb7aae2ab0d4d64f5212abdf2ccf3bca38457284af145f01ff359c68

Download Submit
memory/880-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads